Hi all,


It’s that magical time again: yesterday was Microsoft Patch Tuesday.  It’s a very light month for MS patching.  Microsoft today released just 4 patches, addressing 4 previously undisclosed vulnerabilities, making it the lightest month since May 2011.  The patches address issues in the Windows TCP/IP stack, Windows kernel font parser, Windows Mail client, and Active Directory.  Only the TCP/IP vuln is rated critical by Microsoft.  Other vendors have synced up with Microsoft this month, bringing additional patches from Apple and Adobe today.


This month’s Microsoft patches include the following:


  • (MS11-083) Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
  • (MS11-084) Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
  • (MS11-085) Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
  • (MS11-086) Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)


Perhaps the most noteworthy item this month is what’s not here: a patch for Microsoft Security Advisory 2639658 (“Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege”).  This unpatched vulnerability was disclosed by Microsoft on Nov 3rd, and acknowledged to be actively used by the recent Duqu malware attacks. 


Duqu is the latest in this year’s onslaught of highly-sophisticated, precision-targeted attacks to be made public.  Details are still emerging, but Duqu is known to get its initial foothold into an organization via MS Word documents with malicious font content, delivered via spear-phishing.  The documents leverage the above mentioned unpatched zero-day vulnerability to install kernel drivers and additional trojan payloads.  The inner workings of Duqu have been closely linked to last year’s Stuxnet attacks, although it does not have any specific ties to SCADA or other industrial control equipment.  McAfee Labs has published a landing page with an excellent roundup of information on Duqu, including a detailed consolidated report as well as links to relevant blog entries and podcasts:


McAfee’s Network Security Platform has numerous signatures that are effective in detecting the malicious Duqu .DOC files as they are transmitted over the network, as well as the Command and Control traffic associated with Duqu.  In addition, McAfee’s Global Threat Intelligence cloud has been updated to identify all associated IPs, domains, URLs, and files as malicious, and any GTI-enabled product will provide protection for the relevant section of the Duqu kill chain.


Of the four vulns that were patched today, most attention is focused on MS11-083, which addresses a flaw in the Windows TCP/IP stack that could allow an attacker to execute code on a victim simply by sending a large number of UDP network packets to the target.  In theory this sounds pretty ominous, as it requires no user interaction and can be executed over an unauthenticated network connection.  In practice there are several mitigating factors that make this difficult to pull off.  It’s unlikely to see widespread usage in the wild, but could be the first step in the next APT to hit the news...


On top of the MS vulnerabilities, today also brought Java patches from Apple, updates to the ShockWave Player from Adobe (APSB11-27), as well as Firefox 8 (which includes several security fixes).  These are certainly worth addressing as part of the regular patching cycle, but at this time we’re not aware of any reason to be especially concerned about them.


Counting the unpatched TrueType vuln used by Duqu, McAfee’s NSP provides protection for 3 out of 5 MS vulnerabilities disclosed this month.  McAfee Application Control and Host IPS are also shown to be effective against the Windows Mail vuln (MS11-085).  Application Control should also, naturally, be effective at blocking execution of any payload delivered as a result of a successful exploit of any vulnerability.  Additional research is underway to determine coverage for McAfee’s other countermeasures, as well as coverage for the Apple and Adobe vulns.  As more details become available, you’ll find them on the McAfee Threat Center:


You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.


Happy patching!