As expected, Microsoft failed to address the kernel-level Windows vulnerability exploited by the Duqu Trojan in its November 2011 Patch Tuesday security updates today. Microsoft did release four bulletins, including a fix for a "critical" remote-execution vulnerability involving the way in which the Windows TCP/IP stack handles UDP requests.
Microsoft advises users to implement a workaround issued last week as a brief fix for the hole targeted by Duqu, malware initially considered an offshoot of the Stuxnet Trojan. The vulnerability is within the Win32k TrueType font-parsing engine; attackers exploiting the vulnerability could run arbitrary code in kernel mode. This would allow an attacker to remotely install malware, alter data or create new accounts with full privileges, Microsoft said. A successful attack would need to be completed over
email via a malicious attachment, last week's advisory said.
 “It's a particularly manageable month,†said Marcus Carey, security researcher and community manager at Boston-based vulnerability management company Rapid7, concerning the entirety of the November 2011 Patch Tuesday updates. “Duqu continues to be essentially the mostsome of the most noteworthy. [Microsoft] did not have enough time to patch it. They're still researching the consequences of that vulnerability. … I believe they do not think they should issue a patch immediately because they already released a workaround.â€
Tuesday's updates affect Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2.
MS11-083 was the best critical vulnerability, a flaw within the Microsoft Windows TCP/IP stack that, if left unpatched, could allow remote code execution if an attacker sent a constant barrage of specially crafted UDP packets to a closed port at the targeted system.
However, because it is not publicly disclosed, Jason Miller, manager of study and development at Palo Alto, Calif.-based virtualization vendor VMware Inc., said it doesn't raise the alarms too high. “The attacker has to determine what packet to send,†Miller said. “It takes slightly to do that, nevertheless it remains important to patch this one.â€
Two of the rest bulletins, MS11-085 and MS11-086, are rated “important†while the last one, MS11-084, is rated “moderate.â€
MS11-085 patches a vulnerability in Windows Mail and Windows Meeting Space which could also allow remote code execution but provided that the user visits an untrusted remote file system location and opens a legitimate file from that location.
“MS11-085, we're seeing this one come each month,†said Miller. “It's an analogous vulnerability just types of software.â€
An update involving Windows Active Directory, MS11-086, could allow an elevation of privileges if the software is configured to make use of LDAP over SSL and the attacker acquires a revoked certificate linked to a valid domain account. Active Directory seriously is not configured to apply LDAP over SSL.
MS11-084 is rated "moderate" and fixes a flaw in Windows Kernel-Mode Drivers that may allow denial of service. This vulnerability also requires a restart and may only be successfully exploited if a user willfully visits an untrusted remote file system location containing a specially crafted TrueType font file or opens the file as an email attachment.
Nessun commento:
Posta un commento
Comments links could be nofollow free