Today is Microsoft’s Patch Tuesday for the month of November--the eleventh Patch Tuesday of 2011. It is a light month from Microsoft, with only four security bulletins. The big news, though, is that a zero day flaw being exploited by the Duqu worm is not among the vulnerabilities fixed by Microsoft today.
The addition of four security bulletins this month brings the total for the year so far to 86. Of the four security bulletins, one is rated as Critical, two are Important, and one is ranked as a Moderate threat.
The biggest concern this month--aside from the unpatched Duqu zero day--is MS11-083. It is rated as Critical because a successful exploit could allow an attacker to assume complete control of the vulnerable system. The immediate threat, though, is reduced by the level of technical difficulty in successfully exploiting the flaw.
New details are emerging regarding the Duqu worm. CrySyS Labs--the team that originally discovered the Duqu malware to begin with--has intercepted one of the files that actually installs the malware on target systems. It seems that Duqu is exploiting a zero day vulnerability in Microsoft Word to spread.
According to the researchers at CrySyS, Duqu installs using a Microsoft Word zero day exploit that targets a kernel vulnerability allowing the malware to install. When a victim opens a malicious Microsoft Word document, the main elements of the Duqu worm are installed on the compromised system.
The fact that security researchers were able to recover and analyze one of the dropper files used to install Duqu is encouraging, but researchers also caution that this may not be the only attack vector. The recovered dropped file was intended to target one specific organization, and it had a built-in eight-day expiration window. It is possible that other Duqu attacks could use variants of malicious Microsoft Word documents, or they could use entirely different means to accomplish the initial compromise.
Researchers have identified a new malware threat which has been dubbed "Duqu". The new threat is apparently developed by the same author who developed the Stuxnet worm that was used in targeted attacks against Iranian nuclear power plants, but Duqu has its sights set on a completely different target.
Independent researchers in Europe have shared the malware code with researchers at McAfee and Symantec, and all parties agree that Duqu is built on the same source code as Stuxnet. A blog post from Symantec explains, "Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered."
Although the core code may be the same, A McAfee Labs blog post says that Duqu does not have the PLC-compromising capabilities of its predecessor. Duqu installs drivers and encrypted DLLs on infected machines similar to the original Stuxnet, though, and McAfee claims that the code used for the injection attack, and several of the encryption keys and techniques used by Duqu are all close to those used by Stuxnet.
Yesterday was Microsoft's Patch Tuesday for the month of October. There were a total of eight new security bulletins--not too many, but enough to keep IT admins busy for a while. While most of the vulnerabilities addressed are not imminent threats, security experts are virtually unanimous that patching Internet Explorer should be priority one.
First, let's take a brief look at the security bulletins Microsoft released for Patch Tuesday:
MS11-075 (Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution): Could be exploited to run malicious code from a rogue DLL file.
MS11-076 (Vulnerability in Windows Media Center Could Allow Remote Code Execution): Addresses a publicly disclosed vulnerability in Windows Media Center that could be used to run malicious code from a rogue DLL file.
MS11-077 (Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution): Fixes four different vulnerabilities in Microsoft Windows, including one that could allow an attacker to execute malicious code by luring someone to open a malicious font file.
MS11-078 (Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution): Fixes a critical vulnerability in .NET Framework and Microsoft Silverlight that can be exploited to run malicious code when someone visits a compromised website.
MS11-079 (Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution): Resolves five vulnerabilities in Microsoft Forefront Unified Access Gateway, one of which could enable an attacker to execute malicious code by luring the user to visit a compromised website.
MS11-080 (Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege): Deals with a possible elevation of privileges vulnerability, but an attacker would have to log on locally to the system using valid credentials, so this presents very little risk.
MS11-081 (Cumulative Security Update for Internet Explorer): This month's Cumulative Security Update for Internet Explorer addresses eight vulnerabilities, including one which can be used to execute malicious code simply by luring a user to visit a compromised website.
MS11-082 (Vulnerabilities in Host Integration Server Could Allow Denial of Service): Deals with two vulnerabilities in Host Integration Server that could be used for a denial of service attack.
Next Tuesday is the second Tuesday in October, and that means it is Microsoft Patch Tuesday. Overall, it is a moderate month in terms of patch volume, but the couple that are rated as Critical should be addressed quickly to prevent exploits.
According to the Microsoft Security Bulletin Advance Notification for October 2011, we can expect a total of eight security bulletins next Tuesday--not the smallest Patch Tuesday ever, but also far short of the biggest. Two of the security bulletins are rated as Critical, with the remaining six classified as Important.
The affected software includes Windows, the Microsoft Forefront Unified Access Gateway, Microsoft Host Integration Server, the Internet Explorer Web browser, .NET Framework, and Microsoft Silverlight. The Critical updates affect Internet Explorer, and .NET Framework / Silverlight.
Computer and data security is becoming a much more complex issue to manage for many businesses and consumers. Webroot hopes to simplify it, and make sure you are protected no matter what device or platform you might be using with the launch of SecureAnywhere.
Security used to amount to simply installing some anti-malware product on the PC and keeping it up to date to detect the latest threats. But, now users do more online, and connect with the world through social networks, and access data while on the go from smartphones and tablets. The old school model of security no longer applies.
"For far too long, people have endured a miserable experience with their PC security," said Dick Williams, CEO, Webroot. "Security vendors, including Webroot, have expected customers to buy, install, and manage security products by themselves. This industry has been delivering products that are less and less effective against threats from zero-day exploits, social engineering, and other sophisticated techniques we see today. Webroot is taking the misery out of security. Webroot SecureAnywhere is the fastest, lightest, and the least demanding--so people are free to do what they want online."
Data encryption is the cornerstone of Internet security. Every time you log into your email account or sign into an online retailer like Amazon, chances are that your browser is establishing a secure connection to the server using an encryption technology called TLS (Transport Layer Security).