MS12-034: Duqu, ten CVE’s, and removing keyboard layout file attack surface

There are several interesting “stories” to tell about security update MS12-034:

  • Addressing the Duqu vulnerability again?
  • Why so many affected products?
  • Keyboard layout behavior introduced with Windows Vista conditionally applied down-level

Addressing the Duqu vulnerability again?

Five months ago, we released security update MS11-087 to address CVE-2011-3402, a vulnerability that was being exploited by the Duqu malware to execute arbitrary code when a user opened a malicious Office document. As you can read from the SRD blog post we published at the time, this vulnerability was due to an insufficient bounds check within the font parsing subsystem of win32k.sys.

In the time since we shipped MS11-087, we discovered that several Microsoft products contained a copy of win32k.sys’s font parsing code. Unfortunately, each copy of the code also contained the vulnerability addressed by MS11-087. The most troublesome copy was in gdiplus.dll. We know that several third party applications – 3rd party browsers in particular – might use gdiplus.dll to parse and render custom fonts. Microsoft Office’s version of gdiplus, called ogl.dll, also contained a copy of the vulnerable code. Silverlight included a copy of the vulnerable code. And the Windows Journal viewer included a copy of the vulnerable code.

The Office document attack vector leveraged by the Duqu malware was addressed by MS11-087 – Duqu is no longer able to exploit that vulnerability after applying the security update. However, we wanted to be sure to address the vulnerable code wherever it appeared across the Microsoft code base. To that end, we have been working with Microsoft Research to develop a “Cloned Code Detection” system that we can run for every MSRC case to find any instance of the vulnerable code in any shipping product. This system is the one that found several of the copies of CVE-2011-3402 that we are now addressing with MS12-034.

Why so many affected products?

At first glance, MS12-034 may seem to be addressing a number of unrelated vulnerabilities in unrelated products. For example, why would a keyboard layout handling vulnerability be addressed in the same update as a Silverlight issue? However, as described above, we needed to address the font parsing vulnerability (CVE-2011-3402) in a number of different products. As each new product was added to the security update package, the vulnerabilities planned-to-be-addressed in the same binary were also included.

Addressing CVE-2011-3402 required us to service ogl.dll, gdiplus.dll, win32k.sys, Silverlight, .NET Framework, etc.  Because gdiplus.dll was being addressed, several other fixes that were scheduled to be released in the same binary were looped in to this update.  For example, the local elevation of privilege vulnerabilities in win32k.sys (CVE-2012-0180,0181,1848) were added because we had already included win32k.sys to address TTF parsing issues.  The Silverlight and .NET Framework vulnerabilities were added because we were already servicing those binaries via CVE-2011-3402.  In the end, its probably for the best to require fewer updates to be installed but we understand that it can be confusing.  Hopefully that explanation will help you understand the reasoning behind the decision to include ten CVE’s in a single bulletin.

Keyboard layout behavior introduced with Windows Vista conditionally applied down-level

In addition to addressing the vulnerabilities described in the bulletin, this security update also closes the malicious keyboard layout file attack vector. Windows Vista introduced a requirement that all keyboard layout files be loaded from %windir%\system32. MS12-034 ports that change downlevel to Windows XP and Windows Server 2003 as well. With this new update in effect, vulnerabilities like CVE-2012-0181 (being addressed today) and CVE-2010-2743 (one of the privilege escalation vulnerabilities used by Stuxnet) will be non-issues. Requiring an attacker to place a malicious file in the system32 directory prevents the vulnerability from being a threat.

You can read more about how this change is rolled out in the bulletin’s FAQ section, specifically “Are there special requirements related to applying the security update packages that address CVE-2012-0181?” The change will not affect systems where a keyboard layout outside %windir%\system32 is already registered on the system. You can also read more in Microsoft KB 2686509.


Many engineers worked hard to bring this larger-than-usual MS12-034 security update to you.  From the MSRC Engineering team, I especially want to thank Richard van Eeden and Cristian Craioveanu for their work on the font issues.  Ali Pezeshk and Gavin Thomas both also made larger-than-usual contributions to this update.  Elias Bachaalany, Elia Florio, Jinwook Shin, Neil Sikka, Ali Rahbar, and Suha Can all contributed to this update from the MSRC Engineering team.  Finally, thanks to Chengyun Chu for his work on the cloned code detection system that discovered the other instances of CVE-2011-3402.


MS12-034 addresses ten CVE’s affecting a number of different products. We hope that this blog post answers questions you might otherwise have had around the servicing decisions that went into this update. If you have any further questions, please email us at switech –at- microsoft –dot- com.

– Jonathan Ness, MSRC Engineering