Microsoft patches critical Windows bug, but not Duqu flaw

Software giant prioritizes update that closes hole in TCP/IP stack in Windows 7, Vista, and Server 2008.

Jerry Bryant, group manager of response communications  at Microsoft's Trustworthy Computing Group, discusses the updates in a video.
Jerry Bryant, group manager of response communications at Microsoft's Trustworthy Computing Group, discusses the updates in a video. Microsoft

Microsoft released a security update to fix one critical and three less serious Windows holes but is still working on a patch for a flaw being exploited by the Duqu Trojan.

The most serious of the updates is MS11-083, which could allow an attacker to take over a computer by sending a large number of malicious UDP packets to a closed port on a target system, the Patch Tuesday security bulletin said. It plugs a vulnerability in the TCP/IP stack in Windows 7, Vista, and Server 2008.

"Since this vulnerability does not require any user interaction or authentication, all Windows machines, workstations and servers that are on the Internet can be freely attacked," Amol Sarwate of Qualys said. "The mitigating element here is that the attack is complicated to execute, and Microsoft has given it an Exploitability index of '2,' meaning that the exploit code is inconsistent, but otherwise this has all the required markings for a big worm."

Microsoft also fixed a vulnerability in Windows Mail and Meeting Space that could be exploited to trick the system into remotely running random code if a user opens a file located in the same network directory as a malicious dynamic link library (.DLL) file. Also patched were a vulnerability in Active Directory and one in Windows Kernel-Mode Drivers that could allow a denial of service if a user opens a malicious TrueType font file as an e-mail attachment or navigates to such a file on a network share.

Microsoft issued a temporary fix last week for the hole, also in the Win32k TrueType font-parsing engine, that Duqu exploits.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

CNET's giving away a 3D printer

Enter for a chance to win* the Makerbot Replicator 3D Printer and all the supplies you need to get started.