UPDATE: Microsoft will release 14 security patches next Tuesday, including fixes for security vulnerabilities exploited by the Duqu and BEAST malware.
The company released its monthly Advanced Notification for the December Security Bulletin, previewing 14 separate bulletins, three of them rated “critical,” indicating they could be used by remote attackers to run malicious code on affected systems and, possibly, contribute to the spread of a worm or virus. The 11 remaining bulletins are rated “Important.”
Every supported version of Microsoft’s Windows operating system is affected by one or more of the 14 patches, as well as the company’s Office Suite for Windows and the Apple Mac OS.
“System administrators will have a large amount of work in front of them as the majority impact Windows itself but Office, Internet Explorer, Windows Media and other components are also being patched,” said Kurt Baumgartner, a senior security researcher at Kaspersky Lab.
Though details of the fixes haven’t yet been released, security researchers speculated that one of the three critical bulletins, dubbed “Bulletin 1” will patch a critical vulnerability in the Windows TruType font parsing engine that was exploited by the recent Duqu malware – a Stuxnet-like threat.
Duqu was first detected in October and was immediately dubbed “Stuxnet 2.0” because its code shared similarities with the now-infamous worm that attacked Uranium enrichment faciliites within Iran. Subsequent analysis raised questions about those similarities and about Duqu’s likeness to Stuxnet.
In response to inquiries, Jerry Bryan of Microsoft’s Trustworthy Computer Group, Speaking to Computerworld, confirmed that fixes for the TruType parsing vulnerability Duqu used. Also included is a fix for a vulnerability in TLS 1.0 (Transport Layer Security) and SSL 3.0 (Secure Sockets Layer) that was exploited by BEAST (Browser Exploit Against SSL/TLS), a proof of concept piece of malware that was demonstrated by researchers at the recent Ekoparty conference in Argentina.
Baumgartner said that Microsoft has already taken steps to address the security threat posed by Duqu. In November, the company issued a workaround that closed the hole Duqu’s exploited to access vulnerable kernel code. “Systems in highly sensitive locations have been able to defend their systems with this workaround,” he said. Still, given the severity of the threat, “it would not be surprising to see them finally ship a patch,” Baumgartner said.
Microsoft will release full details of its security updates, the last of the year, on Tuesday, December 13.