One critical patch from Microsoft - but no fix for #Duqu vulnerability

News by Dan Raywood

Microsoft released four security updates on Patch Tuesday.

Microsoft released four security updates on Patch Tuesday.

According to Pete Voss, senior response communications manager at Microsoft Trustworthy Computing, patch MS11-083 should be deployed first as this resolves a privately reported vulnerability in Microsoft Windows that could allow remote code execution if an attacker sends a continuous flow of specifically crafted UDP packets to a closed port on a target system.

Wolfgang Kandek, CTO of Qualys, said this "should be patched with the highest urgency" as it does not require any user interaction or authentication and all Windows machines, workstations and servers that are on the internet can be freely attacked. “This is the patch to apply this month if you have Vista, Windows 7 or Windows 2008, including R2,” he said.

Jason Miller, manager of research and development at Vmware, said: “There are a few items that will make it difficult for an attacker to use this exploit in a worm. First, the network port attacked on the target machine must be closed. Second, a normal UDP packet streamed to a vulnerable machine will not allow the attacker to gain access to the system.

“The UDP packet must be 'specially' crafted. An attacker will need to figure out the type of packet to send to a vulnerable machine. Finally, this vulnerability was privately disclosed to Microsoft so there is no known code out in the wild at this time, and Microsoft has not received any reports of attacks against this vulnerability.”

Andrew Storms, director of security operations at nCircle, said: “The only critical bulletin this month doesn't look very threatening, at least on the surface. The Microsoft Security Research and Defense team blogged about the attack scenario for this bug and described it as ‘difficult to exploit in a real world scenario', probably because default firewall configuration settings successfully block the attack.

“Enterprise security teams should patch this critical bug fairly quickly anyway because if attackers find a way to leverage it, they can gain remote code execution privileges.”

Kandek also highlighted bulletin MS11-085, which is rated important and affects users of Windows 2003. Marcus Carey, Rapid7's security researcher and community manager, said: “MS11-085 is a vulnerability in Windows Mail and Meeting Space, which affects a smaller number of organisations, but is also a possible vector for remote code execution by enticing users to click on malicious files. This attack would be used as part of a social engineering campaign. This should be next in line to patch after the critical one."

Storms said bulletin MS11-084 was the most interesting bulletin this month as it deals with how font files are parsed and only appears to have a lot in common with the Duqu advisory that Microsoft released last week.

Tyler Reguly, technical manager of security research and development at nCircle, said: “MS11-086 is the most interesting patch today since Active Directory servers using LDAP over SSL fail to check the certificate revocation list. Given all the issues with SSL lately, this could be important.

“One of the things that surprised me this month is that we're still seeing fixes for DLL preloading. While I expected to continue to see these from third-party software vendors, I assumed that Microsoft had already identified all of these flaws internally by now.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews