Microsoft patches critical Windows bug, but not Duqu flaw

Software giant prioritizes update that closes hole in TCP/IP stack in Windows 7, Vista, and Server 2008.

Jerry Bryant, group manager of response communications  at Microsoft's Trustworthy Computing Group, discusses the updates in a video.
Jerry Bryant, group manager of response communications at Microsoft's Trustworthy Computing Group, discusses the updates in a video. Microsoft

Microsoft released a security update to fix one critical and three less serious Windows holes but is still working on a patch for a flaw being exploited by the Duqu Trojan.

The most serious of the updates is MS11-083, which could allow an attacker to take over a computer by sending a large number of malicious UDP packets to a closed port on a target system, the Patch Tuesday security bulletin said. It plugs a vulnerability in the TCP/IP stack in Windows 7, Vista, and Server 2008.

"Since this vulnerability does not require any user interaction or authentication, all Windows machines, workstations and servers that are on the Internet can be freely attacked," Amol Sarwate of Qualys said. "The mitigating element here is that the attack is complicated to execute, and Microsoft has given it an Exploitability index of '2,' meaning that the exploit code is inconsistent, but otherwise this has all the required markings for a big worm."

Microsoft also fixed a vulnerability in Windows Mail and Meeting Space that could be exploited to trick the system into remotely running random code if a user opens a file located in the same network directory as a malicious dynamic link library (.DLL) file. Also patched were a vulnerability in Active Directory and one in Windows Kernel-Mode Drivers that could allow a denial of service if a user opens a malicious TrueType font file as an e-mail attachment or navigates to such a file on a network share.

Microsoft issued a temporary fix last week for the hole, also in the Win32k TrueType font-parsing engine, that Duqu exploits.

About the author

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
A roomy range from LG (pictures)
This plain GE range has all of the essentials (pictures)
Sony's 'Interview' heard 'round the world (pictures)
Google Lunar XPrize: Testing Astrobotic's rover on the rocks (pictures)
CNET's 15 favorite How Tos of 2014
CNET's 15 most popular How Tos of 2014