Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft to Bring Four Fixes In November’s Patch Tuesday, Stays Silent on Vulnerability Exploited by Duqu

Microsoft is slated to release four security bulletins as part of November’s Patch Tuesday, but the company is staying silent on when it will patch a Windows zero-day at the center of the Duqu attacks.

Microsoft is slated to release four security bulletins as part of November’s Patch Tuesday, but the company is staying silent on when it will patch a Windows zero-day at the center of the Duqu attacks.

Patch Tuesday November 2011Just one of the bulletins is rated ‘critical,’ while two are rated ‘important.’ The final bulletin is considered ‘moderate.’ All four address issues in Microsoft Windows. The critical bulletin and one of the bulletins ranked important provide fixes for bugs that could permit attackers to remotely executer code, while the other bulletin rated important and the one rated moderate address escalation of privilege and denial-of-service issues, respectively.

Mum was the word however when it came to Duqu, the malware publicized last month as a possible precursor to a Stuxnet-like attack. Using a malicious Microsoft Word file, the attackers behind Duqu exploited a Windows kernel zero-day to infect systems.

 

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

 

The use of the zero-day was uncovered by the Laboratory of Cryptography and System Security (CrySyS) in Hungary. Security vendors have detected victims of Duqu in a number of countries, including Sudan, U.K. and Iran. In October, authorities in India seized components for a server belonging to a company in Mumbai after being told the server was communicating with machines infected with the Trojan.

While Microsoft is not being specific about a date, the company did tell SecurityWeek a fix for the zero-day is on the way. “We are working diligently to address this issue and will release a security update for customers through our security bulletin process,” a spokesperson said.

The Patch Tuesday bulletins are scheduled to be released Nov. 9 at 1 pm EST.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.