As expected, Microsoft did not address the kernel-level Windows vulnerability exploited by the Duqu Trojan in its November 2011 Patch Tuesday security updates today. Microsoft did release four bulletins, including a fix for a "critical" remote-execution vulnerability involving the way the Windows TCP/IP stack handles UDP requests.
Microsoft advises users to implement a workaround issued last week as a temporary fix for the hole targeted by Duqu, malware initially thought to be an offshoot of the Stuxnet Trojan. The vulnerability is in the Win32k TrueType font-parsing engine; attackers exploiting the vulnerability could run arbitrary code in kernel mode. This would allow an attacker to remotely install malware, alter data or create new accounts with full privileges, Microsoft said. A successful attack would have to be carried out over email via a malicious attachment, last week’s advisory said.
“It’s a very manageable month,” said Marcus Carey, security researcher and community manager at Boston-based vulnerability management company Rapid7, regarding the entirety of the November 2011 Patch Tuesday updates. “Duqu is still the most noteworthy. [Microsoft] didn’t have enough time to patch it. They’re still researching the implications of that vulnerability. … I believe they don’t think they need to issue a patch right away because they already released a workaround.”
Tuesday’s updates affect Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2.
MS11-083 was the only critical vulnerability, a flaw in the Microsoft Windows TCP/IP stack that, if left unpatched, could allow remote code execution if an attacker sent a constant barrage of specially crafted UDP packets to a closed port on the targeted system.
However, because it’s not publicly disclosed, Jason Miller, manager of research and development at Palo Alto, Calif.-based virtualization vendor VMware Inc., said it doesn’t raise the alarms too high. “The attacker has to figure out what packet to send,” Miller said. “It takes a bit to do that, but it is still important to patch this one.”
Two of the remaining bulletins, MS11-085 and MS11-086, are rated “important” while the last one, MS11-084, is rated “moderate.”
MS11-085 patches a vulnerability in Windows Mail and Windows Meeting Space that could also allow remote code execution but only if the user visits an untrusted remote file system location and opens a legitimate file from that location.
“MS11-085, we’re seeing this one come every month,” said Miller. “It’s the same vulnerability just different types of software.”
An update involving Windows Active Directory, MS11-086, could allow an elevation of privileges if the software is configured to use LDAP over SSL and the attacker acquires a revoked certificate associated with a valid domain account. Active Directory is not configured to use LDAP over SSL.
MS11-084 is rated "moderate" and fixes a flaw in Windows Kernel-Mode Drivers that could allow denial of service. This vulnerability also requires a restart and can only be successfully exploited if a user willfully visits an untrusted remote file system location containing a specially crafted TrueType font file or opens the file as an email attachment.