Microsoft Leaves Duqu Worm Exploit Unpatched

Today is Microsofts Patch Tuesday for the month of November–the eleventh Patch Tuesday of 2011. It is a light month from Microsoft, with only four security bulletins. The big news, though, is that a zero day flaw being exploited by the Duqu worm is not among the vulnerabilities fixed by Microsoft today.

The addition of four security bulletins this month brings the total for the year so far to 86. Of the four security bulletins, one is rated as Critical, two are Important, and one is ranked as a Moderate threat.

The biggest concern this month–aside from the unpatched Duqu zero day–is MS11-083. It is rated as Critical because a successful exploit could allow an attacker to assume complete control of the vulnerable system. The immediate threat, though, is reduced by the level of technical difficulty in successfully exploiting the flaw.

Joshua Talbot, Security Intelligence Manager for Symantec Security Response, explains, “We estimate an attack attempting to leverage it would take a considerable amount of time; perhaps 4 to 5 hours to complete a single attack. However, if an attacker can pull it off the result would be a complete system crash or compromise if the attacker develops a reliable means of exploitation.”

Andrew Storms, Director of Security Operations for nCircle, has a slightly different take on Microsoft’s Patch Tuesday. Storms feels that the most interesting of the security bulletins is MS11-084–the one rated merely Moderate.

Storms says, “The interesting thing about this bulletin is that it appears to have a lot in common with the Duqu advisory Microsoft released last week. I wonder if we are seeing the beginning of a new malware trend focused on kernel and font parsing bugs.”

Then, there’s the Duqu worm itself. Microsoft’s most recent Security Intelligence Report illustrates that zero day flaws are more hype than threat in the real world. But, when a zero day flaw is exploited by malware there is obviously cause for concern.

Symantec’s Talbot stresses that the Duqu zero day is still a concern. “Microsoft recently published a security advisory as well as a temporary fix and is currently investigating the vulnerability.”

Most antimalware products are capable of detecting and blocking Duqu at this point, so keeping your security software updated should suffice. Security experts reiterate, however, that users should always exercise cautions when opening any email file attachments, or clicking on any unknown URLs in emails.

Microsoft is working diligently to resolve the issue. Expect an out-of-band patch in the next couple weeks to address the zero day flaw targeted by the Duqu worm.