X-Labs
November 7, 2011

CVE-2011-3402 Vulnerability in TrueType Font Parsing

Patrik Runald

When Duqu, which most believed to be written by the same group that wrote Stuxnet, was originally uncovered, the infection vector was still unknown; how did the machines get compromised in the first place? That changed when the Hungarian research lab, CrySys, announced that it had found the dropper which was a Word file that used a new 0-day vulnerability in how Windows parses TrueType fonts.  

Microsoft has confirmed that there is indeed a vulnerability in TrueType Font parsing. An attacker could use this vulnerability to run arbitrary code in kernel mode. Vulnerabilities that allow the attacker to run code directly in kernel mode are very rare, and the attacker could, for example, create new user accounts with full access rights. More information is available from Microsoft in Security Advisory 2639658

Microsoft has also released a Fix-It tool that will temporarily mitigate any attack using this vulnerability. 

Websense, as an active member of the Microsoft MAPP program, has worked with Microsoft to develop protection for our customers. Our security solution will block as "Malicious Web Sites" any attempts to download a file containing an exploit that uses this vulnerability:

Block message when trying to download a file exploiting CVE-2011-3402

 

Websense will continue to work closely with Microsoft and the security community to monitor this prevalent  threat.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.