Microsoft to Bring Four Fixes In November’s Patch Tuesday, Stays Silent on Vulnerability Exploited by Duqu

Microsoft is slated to release four security bulletins as part of November’s Patch Tuesday, but the company is staying silent on when it will patch a Windows zero-day at the center of the Duqu attacks.

Just one of the bulletins is rated ‘critical,’ while two are rated ‘important.’ The final bulletin is considered ‘moderate.’ All four address issues in Microsoft Windows. The critical bulletin and one of the bulletins ranked important provide fixes for bugs that could permit attackers to remotely executer code, while the other bulletin rated important and the one rated moderate address escalation of privilege and denial-of-service issues, respectively.

Mum was the word however when it came to Duqu, the malware publicized last month as a possible precursor to a Stuxnet-like attack. Using a malicious Microsoft Word file, the attackers behind Duqu exploited a Windows kernel zero-day to infect systems.

Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec

The use of the zero-day was uncovered by the Laboratory of Cryptography and System Security (CrySyS) in Hungary. Security vendors have detected victims of Duqu in a number of countries, including Sudan, U.K. and Iran. In October, authorities in India seized components for a server belonging to a company in Mumbai after being told the server was communicating with machines infected with the Trojan.

While Microsoft is not being specific about a date, the company did tell SecurityWeek a fix for the zero-day is on the way. “We are working diligently to address this issue and will release a security update for customers through our security bulletin process,” a spokesperson said.

The Patch Tuesday bulletins are scheduled to be released Nov. 9 at 1 pm EST.