X

Microsoft fixes Duqu hole, but not BEAST problem

Microsoft pulls patch to protect IE users from flaw in SSL protocol after running into compatibility issue.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read
Critical vulnerabilities represented 32 percent of all bulletins this year -- the lowest percentage since 2004 and the lowest in absolute numbers since 2005.
Critical vulnerabilities represented 32 percent of all bulletins this year -- the lowest percentage since 2004 and the lowest in absolute numbers since 2005. Microsoft

Microsoft has finally patched a flaw being exploited by the Duqu Trojan, but a fix to protect Internet Explorer users from having their encrypted communications snooped on didn't quite make the cut.

As part of Patch Tuesday today Microsoft released 13 security bulletins, fixing 10 important bugs and three critical ones, according to the advisory.

MS11-087 fixes a critical hole in the TrueType font handling in the Windows kernel that could allow an attacker to take control of a machine. It has been used in the wild to infect systems with the Duqu malware. "Now that the patch is out, we can expect an exploit to be coded and become available in short time," security firm Qualys predicted in a blog post.

The second critical patch, MS11-090, is a cumulative security update of ActiveX Kill Bits, while the final critical update, MS11-092, fixes a flaw in Windows Media Player.

Microsoft had initially planned on releasing 14 bulletins, including one to address a weakness in SSL (Secure Sockets Layer) and TLS (Transport Layer Security) 1.0 encryption protocols that are used to secure Web sites accessed using HTTPS (Secure Hypertext Transfer Protocol).

Researchers released software they dubbed BEAST (Browser Exploit Against SSL/TLS) in September that can be used to decrypt parts of an encrypted data stream for a man-in-the-middle type of attack. Microsoft released a workaround in September and was expecting to have a full fix ready by today, but said that it discovered that there was a compatibility issue with SAP.

"The bulletin scheduled to address Security Advisory 2588513 was postponed due to a third-party application compatibility issue that will be addressed by the vendor, with whom we're working directly," said Jerry Bryant, group manager of response communications at Microsoft Trustworthy Computing. "We continue to monitor the issue and have seen no active exploits in the wild."

Meanwhile, the company has released 99 security bulletins this year, 32 percent of which were rated critical. That percentage is the lowest since the company began issuing monthly bulletins in 2004 and in absolute numbers it is the fewest since 2005, Microsoft said in a blog post.