Microsoft Releases Critical Patch For Vista, Windows 7
The latest Patch Tuesday release, typically on the second Tuesday of every month, did not contain a fix for the vulnerability exploited by Duqu, a data-gathering Trojan reported last month that experts believe was created for industrial cyber-espionage. Microsoft released a temporary fix last week for the previously unknown Windows flaw.
The only critical fix in the latest release is MS11-083, which lets a hacker execute code through the TCP/IP stack of Vista, Windows 7 or Windows Server 2008.
"We estimate an attack attempting to leverage it would take a considerable amount of time; perhaps four to five hours to complete a single attack," Joshua Talbot, security intelligence manager at Symantec, said in a statement. "However, if an attacker can pull it off, the result would be a complete system crash or compromise, if the attacker develops a reliable means of exploitation."
The difficulty in attacking the flaw led Microsoft to give it an exploitability rating of 2. A rating of 5 is considered most dangerous.
One other vulnerability, MS11-085, could also enable the execution of malicious code. Rated as important, the flaw is in Windows Mail and Meeting Space in Vista, Windows Server 2008 and Windows 7.
Also rated important is MS11-086, a vulnerability in Active Directory that a hacker could use to obtain a revoked certificate and use it to gain network access. The flaw was the only one that affected Windows XP and Windows Server 2003, as well as the newer OSes. The lowest rating, moderate, was given to MS11-084, which could allow a denial of service attack, if a person opened a modified TrueType font file sent as an e-mail attachment. The vulnerability is in Windows 7 and Windows Server 2008.
Microsoft said last week that this month's patch release would not include a permanent fix for Windows vulnerability used by Duqu. The flaw is in the Win32k TrueType font parsing engine, where it can be used to run code in kernel mode, the company says. Such access could enable an attacker to install programs, change or delete data, or create new user accounts with full rights to a system. Microsoft released a temporary fix for the Windows flaw and said a permanent one would be available later. No date was given.
Duqu holds similarities to the Stuxnet worm that damaged the control systems in Iran's nuclear facility. Experts disagree over whether Duqu was written by the same team of hackers.