Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Microsoft > Patches and Vulnerabilities

November 4th, 2011, 16:51 GMT · By

No Patch for Critical Duqu 0-Day Vulnerability in Windows Next Week

SHARE:

Adjust text size:


Windows Update
Enlarge picture
Microsoft plans to release four security bulletins next week as a part of its monthly patch cycle, but an update designed to fix the critical zero-day vulnerability exploited by the Duqu malware won’t be among them.

Jerry Bryant, group manager, Response Communications Trustworthy Computing Group, confirmed this detail officially, while stressing that the software giant is indeed hard at work on a patch.

Bryant notes that the level of risk to which customers running Windows are exposed because of the Duqu malware attacks is low.

“Our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release,” Bryant said.

For the time being, attackers are spreading Duqu through social engineering tactics designed to convince unsuspecting users to open malformed Word documents served as email attachments.

As a precaution, customers should never launch attachments in messages from sources they don’t trust.

Once the Word document is opened, Duqu exploits the unpatched vulnerability in the Win32k TrueType font parsing engine allowing an attacker to remotely execute code in kernel mode.

Since the patch for the Duqu related 0-day Windows kernel flaw won’t be included in the security bulletins that Microsoft plans to ship on November 8, 2011, most likely, the company will issue an out-of-band update later this month.

“As we do each month, we're providing advance notification on the release of four security bulletins, one Critical, two Important, and one Moderate, to address four CVEs in Windows. As usual, the bulletin release is scheduled for the second Tuesday of the month, Nov. 8, at approximately 10 a.m. PT,” said Pete Voss, Sr. Response Communications Manager Microsoft Trustworthy Computing.

Customers running Windows 7 SP1 will need to deploy all four security updates, including a Critical patch.

TELL US WHAT YOU THINK:

2,350 hits · 1 comment · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Download Automatic Fix for Duqu 0-Day Vulnerability in Windows Kernel
Download Expression Encoder 4 Service Pack 2 (SP2) RTM
HTML5 Key to Bringing Bing for Mobile App UX on Par with m.bing.com
Windows 8 Borrows Page from Windows Live Messenger Book

READER COMMENTS:


Comment #1 by: jinx on 05 Nov 2011, 11:18 UTC reply to this comment

Linux is looking better and better

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use