November's Microsoft Patch Tuesday contains four bulletins: one “critical”, two “importants”, and one “moderate”. The majority of these bulletins relate to Microsoft's later versions of the OS, implying that the flaws they address were possibly introduced with Windows Vista. Generally more vulnerabilities are found in earlier versions of the OS, so this month is unusual.
The critical bulletin – MS11-083 – is a TCP/IP based, specifically UDP, vulnerability which affects Vista, Windows 7, Server 2008, and Server 2008. This vulnerability can be used for a Denial of Service attack at the minimum, and worst case, remote code execution, though this hasn’t been seen yet. With more eyes on this bulletin now though, I certainly think that more researchers will try to actualize that theory.
Regarding denial of service, this is the preferred weapon of choice of many hacktivist organizations, and they would likely love to be able to launch mass DoS attacks related to this flaw. This flaw could affect any service, not just web servers, which would be better than the garden variety DoS attack. Bottom line: since this is a core flaw in how the systems process UDP traffic, any computer running it should get this patched as soon as possible. This would also be a good time to revisit firewall configurations to ensure you are blocking unnecessary ports. Many organizations make the mistake of leaving ports open for UDP and TCP, although many times TCP services don’t require both.
MS11-085 is a vulnerability in Windows Mail and Meeting Space, which affects a smaller number of organizations, but is also a possible vector for remote code execution by enticing users to click on malicious files. This attack would be used as part of a social engineering campaign. This should be next in line to patch after the critical.
MS11-086 affects enterprises running Active Directory, and has the potential for privilege escalations. This bulletin affects all modern Microsoft Windows platforms. There are so many requirements related to this vulnerability that I think it would be difficult to exploit in the wild.
MS11-084 is Windows Kernel-Mode Driver-related and could be leveraged by an attacker to cause a Denial of Service. This vulnerability is related to TrueType font formats, which could confuse some because the Duqu malware used a similar flaw. This bulletin is not related to Duqu.
As we suspected, the Duqu-related vulnerability will not be patched today. I advise organizations to utilize the workaround recommended by Microsoft until a patch comes out. Organizations should pay attention to see if Microsoft issues an out-of-cycle update to patch the vulnerability. If that doesn't happen, I suspect that Microsoft will try to aim for December's Patch Tuesday.
If you have any Patch Tuesday or general patching questions or stories, feel free to share them below.