Bumper Microsoft patch revisits old flaw

Seven fixes for Patch Tuesday, as an old "Duqu" vulnerability once again raises its ugly head

Stewart Mitchell
9 May 2012

Microsoft has released a bumper seven-patch security bulletin to address 23 flaws in its software.

The patches include three “critical” and four “important” fixes, and one (MS12-034) that the company said would readdress the Duqu vulnerability that was found to be in more of its products than previously thought.

According to the company, its previous fix for the Duqu exploit, in which the malware executed arbitrary code when a user opened a malicious Office document, addressed "an insufficient bounds check within the font parsing subsystem of win32k.sys".

Although it patched the initial Office problem five months ago, Microsoft said it had since discovered further related weaknesses in other products, which it claimed explained the size of the security update.

Unfortunately, each copy of the code also contained the vulnerability

“In the time since we shipped MS11-087, we discovered that several Microsoft products contained a copy of win32k.sys’s font parsing code,” said Microsoft engineer Jonathan Ness in a company blog.

“Unfortunately, each copy of the code also contained the vulnerability addressed by MS11-087. The most troublesome copy was in gdiplus.dll.

"We know that several third-party applications – third-party browsers in particular – might use gdiplus.dll to parse and render custom fonts. Microsoft Office’s version of gdiplus, called ogl.dll, also contained a copy of the vulnerable code. Silverlight included a copy of the vulnerable code. And the Windows Journal viewer included a copy of the vulnerable code.”

The company said it had been working on a “Cloned Code Detection” system to identify instances of the vulnerable code in any shipping product, which was how it discovered the vulnerability ran across so many products.

Read more about: