Microsoft fixed four bugs in various versions of Microsoft Windows for its November Patch Tuesday release, including a TrueType font flaw different from the one exploited by the Duqu Trojan.
released four security bulletins as part of its November Patch Tuesday update,
according to the advisory released Nov. 8. One bulletin was marked critical,
one moderate and the remaining two important.
majority of bulletins only apply to newer versions of Windows. XP and 2003
users were only affected by the MS11-085 bulletin, which was rated important.
It's possible that the flaws being fixed were introduced with Windows Vista,
Marcus Carey, a security researcher at Rapid7, told eWEEK. Vulnerabilities are generally found in earlier versions of
the operating system, so this month was unusual, according to Carey.
remote code execution vulnerability in the Windows TCP/IP stack had the highest
priority, Pete Voss, senior response communications manager at Microsoft
Trustworthy Computing, wrote on the Microsoft Security Response Center blog.
The vulnerability could allow remote code execution if the attacker sends a
continuous flow of specifically crafted UDP packets to a closed port on a
target system, according to Voss.
vulnerability does not require any user interaction or authentication, so any
Windows machine on the Internet is vulnerable to attack, according to Amol
Sarwate, manager of Qualys Vulnerability Labs. The attack is complicated to
execute and Microsoft has assigned a low exploitability index of "2."
If the attacker succeeds, it "has all the required markings for a big
worm," Sarwate said.
estimated that an attack exploiting the flaw would "take a considerable
amount of time," or at least 4 to 5 hours in a single attack, according to
Joshua Talbot, security intelligence manager at Symantec Security Response. If
the attacker succeeds, it would result in a "complete system crash or
compromise," Talbot said.
Carey said the vulnerability could also be used to launch a denial-of-service (DoS)
attack against the compromised machine. The flaw could affect any service, not
just Web servers, "which would be better than the garden variety DoS
attack," Carey said. Since this is a "core flaw" in how systems
process UDP traffic, any computer running the UDP protocol should be patched as
soon as possible, according to Carey. It would "also be a good time"
to revisit firewall configurations to ensure ports not being used are blocked,
bulletin closes yet another Dynamic Link Library (DLL) preloading
vulnerability, this time in Windows Mail. Microsoft has been closing this issue
in various applications since August 2010. Sarwate recommended that users
implement the generic workaround provided by Microsoft (advisory 2264107) to harden
Windows to block attacks using DLL preloading. Carey said attackers are likely
to exploit this security flaw as part of a social engineering attack.
Reguly, technical manager of security research and development at nCircle,
expressed surprised that Microsoft is still releasing fixes for DLL preloading.
"While I'd expect that we would continue to see these from third-party
software vendors, I assumed that Microsoft had already identified these all of
these flaws internally by now," he said.
TrueType font vulnerability was fixed in the Windows kernel, which could cause
a denial of service if left unpatched. This TrueType bug is different from the
zero-day vulnerability recently identified as being exploited by the Duqu
wonder if we are seeing the beginning of a new malware trend focused on
exploiting kernel and font parsing bugs," said Andrew Storms, director of
security operations at nCircle.
also fixed a potential privilege escalation flaw in Active Directory.
"There are so many requirements related to this vulnerability that I think
it would be difficult to exploit in the wild," Carey said.
researchers also focused on what Microsoft did not release: a patch fixing the
zero-day bug in the TrueType font related to Duqu. Microsoft published a
security advisory on Nov. 3 along with a temporary
workaround for organizations to apply while waiting for the patch. It's
possible that the permanent fix will be released as an "out-of-band"
patch, but Microsoft has not provided any timelines.
departments and end users should implement the workaround and also follow
standard security best practices, such as installing an antivirus and keeping
it updated, and not clicking on attachments, according to Talbot.
good security software in place and updated will help prevent an attack, since
most security vendors already detect and block the main Duqu files,"
the same day, as part of its "Black Tuesday" update, Adobe patched
the Shockwave Player. The security update addressed critical vulnerabilities in
Shockwave Player 220.127.116.119 and earlier for Windows and Macs. These security
flaws could be exploited by an attacker to run malicious code, Adobe said.
Adobe fixed two memory corruption vulnerabilities in the DIRapi library and
multiple memory corruption issues in the TextXtra module. There currently aren't
any exploits in the wild targeting these vulnerabilities, according to the company.
Apple also announced Java updates for Mac OS X Lion and Snow Leopard. The company patched 17 vulnerabilities in Java, which has already been fixed by Oracle for other operating systems, in Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6. The most serious bug may allow an untrusted Java applet to execute code outside the Java sandbox, Apple said in its advisory.