November Patch Tuesday: 4 Updates, No Duqu Fix

Microsoft has published details of its next batch of security updates (known as Patch Tuesday), due to download to Windows machines automatically on Tuesday, November 8 via Windows Update. The only critical update in the batch affects newer rather than older editions of Windows.

None of the security updates to be released next Tuesday are said to patch MS Word, which is currently being exploited by the Duqu virus (a major zero-day threat).

The entire update is a bit of a surprise, say critics, because it deals with just four groups of bugs -- a far cry from recent updates that have included as many as 17 bulletins covering more than 60 problems.

It's worth noting, however, that Microsoft only releases updates for Internet Explorer (a major target for hackers) every second month, and November is considered an "off" month.

Windows XP Evades Greatest Danger

Only one of the four bulletins is rated 'critical,' Microsoft's highest threat level.

The critical bulletin is applicable to Windows Vista and later editions, with XP unaffected. Because of Windows 7's built-in security measures (that can mitigate the effects of a bug), Microsoft's newest operating system usually evades "critical" updates. But not this time. (Source: microsoft.com)

The good news is that the bug has received Microsoft's lowest ranking on a separate "Exploitability Index," which ranks how likely hackers are to carry out attacks exploiting the bug. It's suggested that the loophole is particularly difficult to exploit.

Remaining Security Bulletins Ranked 'Important'

Of the remaining bulletins, two are ranked 'important'.

One bug in particular could conceivably allow a hacker to run code on a victim's machine, while the other could permit a hacker to gain privileges allowing them access to a machine as if they had an administrator account.

The final bulletin is rated 'moderate' and involves denial of service, meaning a hacker could cause disruption but couldn't do permanent damage or access confidential data.

No Fix for Microsoft Word, Duqu Virus

None of the updates provide a fix for the recent Microsoft Word bug that's known to have been exploited by Duqu virus. Duqu is a new form of malware based on the better-known Stuxnet virus of 2010, which was used to attack Iran's nuclear equipment control computers.

It appears that Microsoft is still finalizing a patch and, given the potential danger, will make it available as soon as it's ready, whether that's before or after the scheduled update. (Source: crn.com)