{"id":11894,"date":"2011-11-08T18:46:00","date_gmt":"2011-11-08T18:46:00","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=11894"},"modified":"2011-11-08T18:46:00","modified_gmt":"2011-11-08T18:46:00","slug":"microsoft-issues-duqu-workaround-msa-2639658cve-2011-3402","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=11894","title":{"rendered":"Microsoft Issues Duqu Workaround (MSA 2639658\/CVE-2011-3402)"},"content":{"rendered":"

In the last couple of weeks we\u2019ve heard quite a bit about the alleged \u201cStuxnet\u201d variant called Duqu<\/a>.  This Trojan uses a zero-day vulnerability that exploits the TrueType font parsing engine.  The Trojan replicates itself, does whatever it does<\/a> (still not entirely clear), and removes itself after 36 days to avoid detection.  That last bit is sneaky; it could steal passwords or certs, high-tail it before the heat arrives, and you\u2019d never know to reset anything that was stolen.  Very clever!<\/p>\n

While Microsoft are working on a hotfix, they have issued an advisory that contains a workaround to prevent infection<\/a>.  The actions depend on your operating system, but revolve around changing the permissions of t2embed.dll.<\/p>\n

I\u2019ve become very hesitant of these workarounds.  A few months ago I worked on a site that had no choice but to deploy such a workaround for Conficker.<\/p>\n

I was installing a ConfigMgr 2007 R3 site server.  I installed ConfigMgr and checked the health of the system (it\u2019s easy to miss a pre-req and get some sort of error).  Then I got the strangest error that I had never seen before; the management point role would not install.  What normally happens is the site server is installed (not far from next-next-next), and then a number of default roles install automatically.  The management point is usually painless.  I googled, binged, you name it, and had no joy.  A day later and 2 things gave me the solution:<\/p>\n

    \n
  1. I had been told of the Conficker infection and clean up job that was done<\/li>\n
  2. I found an obscure post with a similar error that pointed to a system registry key permissions issue.<\/li>\n<\/ol>\n

    1 + 1 and I verified this key was a part of the Microsoft Conficker workaround advisory.  Now, I needed to find how this was deployed.  GPMC made it easy to find a GPO that was responsible.  Permission changes via GPO are tattooed so I reversed the edits (AV was up to date).  I forced the policy refresh on the site server, reran the ConfigMgr install and the Management Point installed.  Luckily the customer had <\/em>used GPO and made this workaround very easy deploy for them, and ID\/reverse for me.<\/p>\n

    By the way, part of the change was changing permissions of scheduled tasks.  It turns out that backup jobs hadn\u2019t been running correctly for a while.<\/p>\n

    So the lesson is:<\/p>\n