Microsoft is out with its monthly Patch Tuesday update today, delivering four separate security advisories. Only one of the advisories is rated as critical, two are rated as important and one is rated as having moderate risk.
The moderate risk flaw is perhaps the most interesting update due to its striking similarity to the zero day flaw the enables the duqu virus. Duqu is a piece of malware that is directly related to Stuxnet.
Microsoft admitted last week that a Windows flaw with TrueType font handling was the root cause that enables Duqu to infect PCs. The November Patch Tuesday update does not specifically have a patch for the Duqu flaw. Rather the fixed flaw, officially titled, “Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service,” is for a different TrueType Font based attack.
“This vulnerability is related to TrueType font formats, which could confuse some because of the Duqu malware used a similar flaw,” Marcus Carey, security researcher at Rapid7, said in an email sent to InternetNews.com. “This bulletin is not related to Duqu.”
Carey added that since Microsoft has not yet issued a formal patch for the Duqu flaw he advises organizations to utilize the workaround recommended by Microsoft until a patch comes out. Microsoft has also made a “fixit” tool available for the Duqu flaw.
“Organizations should pay attention to see if Microsoft issues an out-of-cycle update to patch the vulnerability,” Carey said. “If that doesn’t happen, I suspect that Microsoft will try to aim for December’s Patch Tuesday.”
From an immediate impact perspective, the MS11-083 bulletin in the November Patch Tuesday update is the most urgent, as it carries a critical impact rating from Microsoft. The flaw is officially titled,”Vulnerability in TCP/IP Could Allow Remote Code Execution.”
“Since this vulnerability does not require any user interaction or authentication, all Windows machines, workstations and servers that are on the Internet can be freely attacked,” Qualys CTO Wolfgang Kandek wrote in his evaluation of the bulletin. “The mitigating element here is that the attack is complicated to execute.”
Rapid7’s Carey noted that the denial of service (DoS) attack vector that the TCP/IP flaw enables is the preferred weapon of choice of many hacktivist organizations. According to Carey those hacktivist organizations would likely love to be able to launch mass DoS attacks related to this flaw.
“This flaw could affect any service, not just Web servers, which would be better than the garden variety DoS attack,” Carey said. “Bottom line: since this is a core flaw in how the systems process UDP traffic, any computer running it should get this patched as soon as possible.”
The other two flaws fixed in the November Patch Tuesday update are both rated as important. The MS11-085 patch fixes a vulnerability in Windows Mail and Meeting Space that could potentially lead to remote code execution.
“The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file,” Microsoft warned in its advisory. “Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained.”
The MS11-086 patch fixes a privilege escalation issue in ActiveDirectory. While Microsoft has rated the issue as being important, attacks leverage the flaw are likely difficult to execute.
“This bulletin affects all modern Microsoft Windows platforms,” Carey said. ” There are so many requirements related to this vulnerability that I think it would be difficult to exploit in the wild.”