As part of its strategy to stagger alternate months with fewer security updates, Microsoft this week released a lighter Patch Tuesday consisting of only four security bulletins – only one of which has been flagged as critical. Indeed, the assigned exploitability rating of ‘3' in spite of it being a remote-execution vulnerability also suggests that the underlying flaw is not easily exploited.
Two of the other patches are tagged as 2 important, with the final one tagged as 1 moderate. All 4 patches will impact Windows platforms and will require a reboot.
Jason Miller, Manager, Research and Development, VMware, confirmed that the critical vulnerability is not easy to exploit. In an email message, Miller wrote:
"First, the network port attacked on the target machine must be closed. Second, a normal UDP packet streamed to a vulnerable machine will not allow the attacker to gain access to the system. The UDP packet must be "specially" crafted. An attacker will need to figure out the type of packet to send to a vulnerable machine. Finally, this vulnerability was privately disclosed to Microsoft so there is no known code out in the wild at this time and Microsoft has not received any reports of attacks against this vulnerability."
As with all security vulnerabilities, it would be folly to deliberately leave any of them unpatched. However, the mitigating factors does mean that system administrators have more time to perform proper testing as well as greater flexibility to stagger them for installation at the end of a work day.
Security managers hoping for a patch to fix a kernel-level Windows vulnerability exploited by the Duqu Trojan were left disappointed however. Its sophistication and similarity to the notorious Stuxnet malware has led security researchers to conclude that they originated from the same team of elite hackers.
Citing the need for more time, Microsoft instead released a temporary workaround last week that essentially blocks off access to the vulnerable DLL file used by the Win32k TrueType font-parsing engine. The utility to apply (and disable) the workaround can be downloaded here. Additional information about the workaround can also be found in this Microsoft security advisory.