Microsoft Patches Duqu; BEAST Next

Thursday, December 15, 2011 @ 03:12 PM gHale

The BEAST got a reprieve while Duqu earned a patch as Microsoft issued 13 security updates that patched 19 vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows Media Player.

In addition, the software giant scrubbed one bulletin focusing on The BEAST because SAP said the patch broke some of its software.

Adobe Patches ColdFusion; Working on Others
Targeted Emails Use Security Vendor’s Name
Attackers Hijacking Solid Domains
Control Systems on Alert

“The bulletin scheduled to address Security Advisory 2588513 was postponed due to a third-party application compatibility issue that will be addressed by the vendor, with whom we’re working directly,” Jerry Bryant, group manager in Microsoft’s Trustworthy Computing team, said in a statement.

That security update was to fix the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 bug demonstrated in September 2011 by researchers who crafted a hacking tool dubbed BEAST, for “Browser Exploit Against SSL/TLS.”

SAP, the German developer that creates enterprise business operations and management software, was the third-party vendor who reported compatibility problems. Microsoft added it would rather pull a bulletin than “ship something that might inconvenience customers.”

Microsoft did patch the vulnerability exploited by the Duqu intelligence-gathering Trojan, however; that flaw was the subject of an advisory the company issued in early November after the industry learned there was a relationship to Stuxnet, the ultra-sophisticated worm that sabotaged Iran’s nuclear program in 2010.

That bulletin was one of three rated “critical,” the company’s top threat ranking. The remaining 10 were “important,” the next-lowest rating.

Microsoft called out the Duqu update, MS11-087, and another, MS11-092, as the ones customers should apply first. The latter affects Windows Media Player, Microsoft’s audio-video-rich content utility.

“Now that they’ve patched the vulnerability, we’ll have lots of people reverse engineering the patch to weaponize a drive-by exploit,” said Wolfgang Kandek, chief technology officer at Qualys.

Duqu attacks uncovered this fall relied on malicious Word documents fed to victims as email attachments. But Microsoft acknowledged the underlying vulnerability could also suffer exploitation using browser-based attacks.

In a post to Microsoft’s Security & Defense Research blog, Chengyun Chu and Jonathan Ness, engineers at the Microsoft Security Response Center, noted an undisclosed “browser-based attack vector” via IE.

Jason Miller, of VMware’s research and development team, warned other browsers might be vulnerable to such attacks, too. For that reason and others, Miller expected hackers to eagerly dig into the Duqu fix.

The other bulletin Microsoft put on its patch-now list was MS11-092, which fixes a single critical bug in Windows Media Player.

“Windows Media Player’s [vulnerability] is a drive-by,” said Storms, referring to attacks that only require users to steer their browser to a site hosting malicious content to be successful.

Leave a Reply

You must be logged in to post a comment.