No sign it will rush emergency update for kernel flaw exploited by Duqu malware
Microsoft today said it will issue four security updates next week to patch four vulnerabilities in Windows.
The critical vulnerability affects only Windows Vista, Windows 7, Server 2008 and Server 2008 R2, said Microsoft in its
monthly advanced warning of Patch Tuesday's roster.
Other than the one critical update, Microsoft's most-serious threat ranking, next week's collection also includes two pegged "important," the next-most-severe tag, and one labeled "moderate." Two of the updates -- the critical and one of those marked important -- will patch vulnerabilities that attackers could exploit to execute malicious code and potentially commandeer the computer.
But it does not appear that Microsoft will fix a recently-revealed critical Windows kernel bug next week. The unpatched, or "zero-day" vulnerability, has been exploited by the Duqu Trojan for several months. Symantec disclosed but did not describe in detail the kernel bug earlier this week.
Microsoft should be releasing a security advisory on the kernel vulnerability later Thursday.
While the decade-old Windows XP will not require the sole critical update, it will be patched by one of the important vulnerabilities.
Windows 7 users, however, will receive all four updates -- including the critical patch -- and Vista owners will see three.
"This month looks upside down," said Andrew Storms, director of security operations at nCircle Security, in an interview conducted using instant messaging. "New operating systems are more affected than older ones."
That is unusual, as Microsoft likes to point out: Historically, more vulnerabilities are uncovered, and patches issued for, older editions of Windows than for newer versions.
Other researchers noticed the same peculiarity.
"Interestingly, the majority of bulletins only apply to these newer versions of Windows, and XP and Server 2003 users are only affected by Bulletin 3, which is rated important," said Wolfgang Kandek, the chief technology officer of Qualys, in an email today.
The small number of patches wasn't unexpected, since Microsoft has been in the habit of shipping fewer updates on odd-numbered months. But Storms said this batch is even lighter than usual.
"This is lower than both last year and in 2009 for November," Storms said. "In November 2010 Microsoft released three bulletins and [patched] 13 CVEs, and in November 2009 there were six bulletins with 15 CVEs."
CVE, for Common Vulnerabilities & Disclosures, is an identifier that vendors and security researchers use to label each specific flaw.
With the small number of updates expected next week, it wasn't surprising that researchers focused on the kernel vulnerability leveraged by Duqu.
"I think the real news we are all waiting on is what is going to happen with the Duqu vulnerability," said Storms. Previously, Storms predicted that Microsoft would not rush a fix for the bug into next week's collection.
Marcus Carey, a security researcher with Rapid7, urged enterprises to be patient.
"I recommend customers wait for official guidance, patches and other mitigation strategies from Microsoft," said Carey, talking about the kernel bug and the expected advisory from Microsoft. "During times like this, many organizations are easily panicked and could fall victim to social engineering attacks based on the fear of zero-days."
The four updates will be released at approximately 1 p.m. ET on Nov. 8.
