15 replies to this topic

[Corrine]

Security Advisory 2639658 relates to a Windows kernel issue related to the Duqu malware, a trojan that injects malicious code into other processes.  An update is not expected to be ready for delivery with the scheduled November update.  A Microsoft Fix it solution is available from Microsoft KB Article 2639658.

Additional details are available in my article at Microsoft Fix it for Duqu Malware, Security Advisory 2639658.

[LilBambi]

Thanks Corrine for posting about the workaround!

[V.T. Eric Layton]

You know, you guys should make a Sticky in the All Things Windows area of the board for Security Announcements. We do this for some of the major distros in the BATL area. It can be helpful to members.

[mac]

You know, you guys should make a Sticky in the All Things Windows area of the board for Security Announcements. We do this for some of the major distros in the BATL area. It can be helpful to members.

Seconded!  

[Corrine]

There really aren't the number of Security Advisories that there used to be.  Thus far in 2011, there have been three.  1. the Advisory addressed in this topic and two others:

2.  Microsoft Security Advisory (2501696): Vulnerability in MHTML Could Allow Information Disclosure, Published: Friday, January 28, 2011,  (April 12, 2011): Advisory updated to reflect publication of security bulletin.

3.  Microsoft Security Advisory (2588513): Vulnerability in SSL/TLS Could Allow Information Disclosure, Published: Monday, September 26, 2011

This one is tricky.  Although there is a Microsoft Fix it solution (See KB Article 2588513[/url), note that if the protocols are loaded, some secure sites will fail to load.  (See EricLaw's IEInternals, [url=http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx]Misbehaving HTTPS Servers impair TLS 1.1 and TLS 1.2).  In addition, as I understand it, the primary issue is on web servers, rather than the client.

[V.T. Eric Layton]

It's a good thing that there aren't as many as they're used to be. Right? Anyway, I think it would still be helpful to collect them all in one place. I get those MS Win Security emails about once or twice a month these days. You're right, though. It used to be much more often.

[Corrine]

After enabling Microsoft Fix it 50792, there have been reports of Microsoft updates KB 972270 (MS10-001: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) and KB 982132 (MS10-076: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) being repeatedly re-offered.

In the event you experience the same issue, after confirming in the update history that both updates are installed, I suggest that you enable the Fix it and then hide the updates when offered again.

To hide the updates, select the first update and then right-click the update and click "Hide Update." Repeat for the second update.

[Tushman]

After enabling Microsoft Fix it 50792, there have been reports of Microsoft updates KB 972270 (MS10-001: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) and KB 982132 (MS10-076: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) being repeatedly re-offered.

In the event you experience the same issue, after confirming in the update history that both updates are installed, I suggest that you enable the Fix it and then hide the updates when offered again.

To hide the updates, select the first update and then right-click the update and click "Hide Update." Repeat for the second update.

I don't particularly care for kind of hand holding in the "Microsoft Fix it" automated tool.  Most of the time they're just simple command lines or registry modifications you can make on your own.  For anyone else interested in running it manually, you can use the workaround solution linked to in the MSKB article outlined here.  You will need to click on the '+' in order expand on the paragraph and display the actual steps involved for the fix.

In this case, I made a simple batch file for it and called it up from an elevated command shell window.   I ran Windows updates afterwards and did not see any such problems.

[Corrine]

Most home computer users do not have the knowledge to create batch files and letting them lose in the registry is dangerous.  The Fix it tools are merely doing the same thing you're doing manually for those not having the same knowledge set.

BTW, I advise disabling the fix prior to installing the update when it is released.

From the reports I have seen, the problem with the two updates being repeatedly re-offered has been limited to Windows XP.

[Tushman]

Most home computer users do not have the knowledge to create batch files and letting them lose in the registry is dangerous.  The Fix it tools are merely doing the same thing you're doing manually for those not having the same knowledge set.

I very much agree - I should have said in my post that those sentiments applies only to me or power users that don't need the hand holding.

BTW - since I have never used the Microsoft Fix It tool - I'd like to ask you if you have used it.  More than anything, I'm curious to know how it works - obviously it requires the user to download something...  What is the actual mechanism? VB script? active X?

[Corrine]

Not ActiveX, just a simple .msi installer you download to make the same changes you made with the batch you created.

[zlim]

Stupid question: Is there a way for me to tell if I have used Fixit 50792?
With the power going off then on then off again, I'm not sure if I did this to one of the computers.

I guess I could go through the enable again and it wouldn't hurt anything if it was done but I'd like some way of being able to see.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I saw I downloaded it so I ran it again. It creates a restore point. I then looked over my restore points and was able to determine I installed it on the 7th and again today.

Edited by zlim, 09 November 2011 - 12:33 PM.

[Corrine]

Just remember to run the disable when the update is released. (Are you going to disable it twice on that computer? )

[zlim]

Guess so, just to be sure!
I had to do this with another Fixit from a few months back - enable then disable when the fix was released.

[ebrke]

After enabling Microsoft Fix it 50792, there have been reports of Microsoft updates KB 972270 (MS10-001: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) and KB 982132 (MS10-076: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) being repeatedly re-offered.

In the event you experience the same issue, after confirming in the update history that both updates are installed, I suggest that you enable the Fix it and then hide the updates when offered again.

To hide the updates, select the first update and then right-click the update and click "Hide Update." Repeat for the second update.

Shoot, I should have known to come here first.  I just opened a trouble ticket with Microsoft via email on this exact issue.  Well, I'll let them take their time to work on it, but at least I know what they'll say when they get back to me.  It's weird having the Microsoft Updates website tell you in the History that the updates are successfully installed, and at the same time insist that they be installed again.  

Even ESET NOD32 antivirus doesn't recognize that these updates have been installed and notifies that the operating system is not up-to-date.  Can we depend on the Review Install History at the MS Update site?  This is my Mom's 'puter and I'd like to be sure these updates did actually install.

[Corrine]

Someone at another site was having problems and questioned whether they should proceed with the Fix it.  My reply:

The choice is yours as to whether you wish to install the Fix it. If you do enable the Fix it, don't forget to run the disable prior to installing the update when it is released.

With safe surfing and updated A/V, the risk doesn't seem great. From the MSRC blog {Bold Added}:

To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.

{Snip}

Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.