Microsoft Fixes Four Bugs for November Patch Tuesday

Microsoft fixed four bugs in various versions of Microsoft Windows for its November Patch Tuesday release, including a TrueType font flaw different from the one exploited by the Duqu Trojan.

Microsoft released four security bulletins as part of its November Patch Tuesday update, according to the advisory released Nov. 8. One bulletin was marked critical, one moderate and the remaining two important.

The majority of bulletins only apply to newer versions of Windows. XP and 2003 users were only affected by the MS11-085 bulletin, which was rated important. It's possible that the flaws being fixed were introduced with Windows Vista, Marcus Carey, a security researcher at Rapid7, told eWEEK. Vulnerabilities are generally found in earlier versions of the operating system, so this month was unusual, according to Carey.

The remote code execution vulnerability in the Windows TCP/IP stack had the highest priority, Pete Voss, senior response communications manager at Microsoft Trustworthy Computing, wrote on the Microsoft Security Response Center blog. The vulnerability could allow remote code execution if the attacker sends a continuous flow of specifically crafted UDP packets to a closed port on a target system, according to Voss.

The vulnerability does not require any user interaction or authentication, so any Windows machine on the Internet is vulnerable to attack, according to Amol Sarwate, manager of Qualys Vulnerability Labs. The attack is complicated to execute and Microsoft has assigned a low exploitability index of "2." If the attacker succeeds, it "has all the required markings for a big worm," Sarwate said.

Symantec estimated that an attack exploiting the flaw would "take a considerable amount of time," or at least 4 to 5 hours in a single attack, according to Joshua Talbot, security intelligence manager at Symantec Security Response. If the attacker succeeds, it would result in a "complete system crash or compromise," Talbot said.

Rapid7's Carey said the vulnerability could also be used to launch a denial-of-service (DoS) attack against the compromised machine. The flaw could affect any service, not just Web servers, "which would be better than the garden variety DoS attack," Carey said. Since this is a "core flaw" in how systems process UDP traffic, any computer running the UDP protocol should be patched as soon as possible, according to Carey. It would "also be a good time" to revisit firewall configurations to ensure ports not being used are blocked, he said.

Another bulletin closes yet another Dynamic Link Library (DLL) preloading vulnerability, this time in Windows Mail. Microsoft has been closing this issue in various applications since August 2010. Sarwate recommended that users implement the generic workaround provided by Microsoft (advisory 2264107) to harden Windows to block attacks using DLL preloading. Carey said attackers are likely to exploit this security flaw as part of a social engineering attack.

Tyler Reguly, technical manager of security research and development at nCircle, expressed surprised that Microsoft is still releasing fixes for DLL preloading. "While I'd expect that we would continue to see these from third-party software vendors, I assumed that Microsoft had already identified these all of these flaws internally by now," he said.

A TrueType font vulnerability was fixed in the Windows kernel, which could cause a denial of service if left unpatched. This TrueType bug is different from the zero-day vulnerability recently identified as being exploited by the Duqu Trojan.

"I wonder if we are seeing the beginning of a new malware trend focused on exploiting kernel and font parsing bugs," said Andrew Storms, director of security operations at nCircle.

Microsoft also fixed a potential privilege escalation flaw in Active Directory. "There are so many requirements related to this vulnerability that I think it would be difficult to exploit in the wild," Carey said.

Security researchers also focused on what Microsoft did not release: a patch fixing the zero-day bug in the TrueType font related to Duqu. Microsoft published a security advisory on Nov. 3 along with a temporary workaround for organizations to apply while waiting for the patch. It's possible that the permanent fix will be released as an "out-of-band" patch, but Microsoft has not provided any timelines.

IT departments and end users should implement the workaround and also follow standard security best practices, such as installing an antivirus and keeping it updated, and not clicking on attachments, according to Talbot.

"Having good security software in place and updated will help prevent an attack, since most security vendors already detect and block the main Duqu files," Talbot said.

On the same day, as part of its "Black Tuesday" update, Adobe patched the Shockwave Player. The security update addressed critical vulnerabilities in Shockwave Player and earlier for Windows and Macs. These security flaws could be exploited by an attacker to run malicious code, Adobe said. Adobe fixed two memory corruption vulnerabilities in the DIRapi library and multiple memory corruption issues in the TextXtra module. There currently aren't any exploits in the wild targeting these vulnerabilities, according to the company.

Apple also announced Java updates for Mac OS X Lion and Snow Leopard. The company patched 17 vulnerabilities in Java, which has already been fixed by Oracle for other operating systems, in Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6. The most serious bug may allow an untrusted Java applet to execute code outside the Java sandbox, Apple said in its advisory.