Microsoft is slated to release four security bulletins as part of November’s Patch Tuesday, but the company is staying silent on when it will patch a Windows zero-day at the center of the Duqu attacks.
Mum was the word however when it came to Duqu, the malware publicized last month as a possible precursor to a Stuxnet-like attack. Using a malicious Microsoft Word file, the attackers behind Duqu exploited a Windows kernel zero-day to infect systems.
Watch the On Demand Webcast: “Duqu- Precursor to the Next Stuxnet,” Presented by Symantec
The use of the zero-day was uncovered by the Laboratory of Cryptography and System Security (CrySyS) in Hungary. Security vendors have detected victims of Duqu in a number of countries, including Sudan, U.K. and Iran. In October, authorities in India seized components for a server belonging to a company in Mumbai after being told the server was communicating with machines infected with the Trojan.
While Microsoft is not being specific about a date, the company did tell SecurityWeek a fix for the zero-day is on the way. “We are working diligently to address this issue and will release a security update for customers through our security bulletin process,” a spokesperson said.
The Patch Tuesday bulletins are scheduled to be released Nov. 9 at 1 pm EST.