Microsoft security patches for November 2011 are live and customers need to prioritize plugging a hole in the Windows TCP/IP stack which affects all releases of the operating system, including Windows 7 Service Pack 1 (SP1), but with the exception of Windows XP and Windows Server 2003.
Microsoft Security Bulletin MS11-083
, rated Critical, is the one dealing with CVE-2011-2013, the Reference Counter Overflow vulnerability in the Windows TCP/IP stack.
But there are an additional three security bulletins from the software giant, patching just as many vulnerabilities, although none as severe as CVE-2011-2013.
“We are releasing four security updates, which will increase protection by addressing four privately reported CVEs in Microsoft Windows. As always, customers should plan to install all of these updates as soon as possible,” revealed Pete Voss
, Sr. Response Communications Manager, Microsoft Trustworthy Computing.
“There is one bulletin, however, that we want to call out as a priority for our customers: MS11-083 (TCP/IP): This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow Remote Code Execution if an attacker sends a continuous flow of specifically crafted UDP packets to a closed port on a target system.”
Customers need to make sure that they deploy all November 2011 Windows security updates as soon as possible, while making sure that MS11-083 is a priority.
“The security update addresses the vulnerability by modifying the way that the Windows TCP/IP stack keeps track of UDP packets within memory,” Microsoft informed.
In addition to the vulnerability detailed above, Windows 7 SP1, as well as a number of older releases of Microsoft platforms, are also impacted by MS11-084
However, just two of the remaining security bulletins are rated Important, with MS11-084 being considered as posing a Moderate risk to users.
As previously revealed
, the Redmond company has not issued a security update to resolve the Critical zero-day vulnerability used by the Duqu malware in order to spread, as part of the November 2011 Patch Tuesday releases. However, a fix is indeed coming for the Duqu 0-day, although most likely it will be an out-of-band update.