Microsoft released a security advisory late Thursday with a workaround for the Windowszero-day vulnerability linked to the Duqu Trojan, but said a Duquzero-day patch wont be ready for next weeks Patch Tuesday release.
It is extremely important thatwhen that patch comes out that every Windows user that has a vulnerable computer apply that patchas quickly as possible... This is not one to mess around with.Andrew Brandt, Solera Networks
In the advisory,Microsoft said it is investigating a vulnerability in a Windows component, the Win32k TrueType fontparsing engine. Successful exploitation of the vulnerability, according to Microsoft, could allowan attacker to run arbitrary code in kernel mode and then install programs, alter or delete data,or create new accounts with full user rights. For an attack to succeed, the victim must open anemail attachment.
We are aware of targeted attacks that try to use the reported vulnerability; overall, we seelow customer impact at this time, the company said.
The advisory provides a workaround for the Duqu vulnerability, which affects virtually allactively supported versions of Windows. Microsoft released a Fix it program to provide easyinstallation of the workaround.
In a blogpost, Jerry Bryant, group manager of response communications for Microsoft TrustworthyComputing, said Microsofts engineering teams have determined the root cause of the vulnerabilityand are working to produce a high-quality security update to address it. The update wont beready for this months bulletin release, he added, but declined to provide a timetable.
Microsoft also said it provided its Active Protections Program partners with details forbuilding detection into their security products. Antimalware vendors will soon release newsignatures, according to Microsoft, and encouraged customers to make sure to update their antivirusprotection.
Earlier this week, security researchers said they detected an installer for Duqu, a MicrosoftWord document that exploits a kernel-level Windows zero-day vulnerability.
According to security researchers, the Duqu Trojan containssome of the same source code used by the Stuxnet Trojan, which was designed to disruptindustrial processes. Duqu appears to have targeted industry equipment makers in order to collectinformation about their systems and other proprietary data. According to Symantec Corp., the numberof confirmed Duqu infections is limited, with confirmed attacks in eight countries, including Indiaand Iran.
Earlier in the day, security researchers said they didnt expect Microsoft's November 2011 PatchTuesday release to address the Duqu-related zero-day flaw due to the complexity of fixing thekernel-level vulnerability.
In its November2011 Patch Tuesday Advance Notification issued Thursday, Microsoft said it planned issue foursecurity bulletins Nov. 8, fixing four Windows vulnerabilities. Only one of the bulletins slatedfor release is rated as critical. Two are rated as important and the fourth is rated asmoderate.
Most of the bulletins apply to newer versions of Windows. The critical bulletin, which fixes avulnerability that could lead to remote code injection, affects Vista, Windows 7 and Windows Server2008 and Server 2008 R2. Only the third bulletin, which addresses vulnerabilities that could leadto elevation of privilege, also affects the older Windows XP and Server 2003.
The November 2011 Patch Tuesday will be light, especially for companies that havent yetswitched to Windows 7, said Marcus J. Carey, security researcher at Boston-based vulnerabilitymanagement company Rapid7 LLC. He said the nature of the Duqu-related flaw means Microsoftcant rush a patch for it.
It just takes a long time to fix kernel-level bugs, he said. The kernel is the core part ofthe operating system, so its a big deal when you have to fix those.
Mike Geide, senior security researcher at Sunnyvale, Calif.-based Web security SaaS providerZscaler Inc., also said fixing the kernel-level vulnerability is a complex process.
Microsoft isnt going to release a patch until after thorough testing to make sure it not onlyfixes the vulnerability but also that it doesnt cause any problems in any of their operating systems, he said. There are quite a number of systems todo stress testing on.
Noting the targeted nature of the Duqu attacks, Carey said average users arent going to beaffected by the malware. At the same time, though, researchers and attackers will be trying touncover this bug until Microsoft patches it, he added.
Andrew Brandt, director of threat research at South Jordan, Utah-based network securityanalytics provider Solera Networks Inc., said it will be critical that businesses and individualusers apply the patch for the kernel-level zero-day vulnerability once Microsoft releases it.
It is extremely important that when that patch comes out that every Windows user that has avulnerable computer apply that patch as quickly as possible, he said. This is not one to messaround with for six months We know just how dangerous it is, and its already been used for somescary stuff.
Once the details of the vulnerability are released, it will just be a matter of time before moremalware that exploits it surfaces, he added. The window of time between distribution of detailsand appearance of more malware that exploits the vulnerability is shorter and shorter. Its gonefrom weeks to days to hoursIt will not just be Duqu in the long run that exploits it.
0 comments:
Post a Comment