Microsoft issues fixes for 'patched' Duqu threat

Powered by SC Magazine
 

Patches fix 23 vulnerabilities

Microsoft on Tuesday shipped seven patches to address 23 vulnerabilities, including fresh fixes for flaws that could enable the espionage trojan Duqu trojan to spread.

Three of the seven bulletins were rated "critical" by Microsoft, but all of the attention seemed squarely focused on one: MS12-034, a rather convoluted fix that remedies 10 issues in Windows, Office, Silverlight and the .NET Framework. 

Three of the ten vulnerabilities were publicly known, and the most severe of the holes involved the improper handling of TrueType font files, which was the vector by which Duqu was believed to have spread.

Duqu was created to conduct reconnaissance of target industrial control systems, and may have been designed to serve as a precursor to another Stuxnet-like attack.

In December, Microsoft patched the Duqu vulnerability, but the code had been replicated in other company products, said Andrew Storms, director of security operations at nCircle, which provides security and compliance auditing solutions.

"This is going to give the patch management folks some serious heartburn," he said.

"Evidently, Microsoft discovered that the same bits of bad code that were fixed in MS11-087 last year were copied and pasted into other applications, so they needed to fix those, too.

"Since other changes were pending for those applications, all kinds of other bug fixes not related to Duqu [also] are bundled into this bulletin."

Tuesday's update contained two other high-priority fixes.

MS12-029 corrects a single "critical" weakness in Word that could result in remote code execution by attackers.

Also, MS12-032 remedies one publicly known and one privately disclosed flaw in the TCP/IP stack, a core operating system component.

While the bug can at worst result in privilege escalation, but not code execution, a public exploit has been published.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Microsoft issues fixes for 'patched' Duqu threat
 
 
 
Top Stories
At the top of her game
A decision to bring digital operations back in-house three years ago has paid big dividends for Tabcorp.
 
Westpac hires SAP man as CTO
Creates four new IT lead positions.
 
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
More 4G from Optus in Darwin
Nov 21, 2014
Click to see where Optus has expanded coverage to the suburbs near Darwin.
Optus steps up regional 4G coverage
Nov 20, 2014
Once 700Mhz services are working, Optus claims regional users will have a "faster and more ...
This Huawei 4G phone costs $99
Nov 12, 2014
The $99 Huawei Ascend Y550, available through Vodafone, enters the budget market as one of the ...
4G smartphones: Microsoft's Lumia 830
Nov 7, 2014
Microsoft has announced its flagship Windows Phone, the Nokia Lumia 830 4G, will be available in ...
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  21%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 984

Vote