Microsoft scratches BEAST patch at last minute, but fixes Duqu bug
Admits Duqu-like browser-based attacks possible
Computerworld - Microsoft today issued 13 security updates, one less than expected, that patched 19 vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows Media Player.
The company punted on one bulletin it had planned to deliver today after SAP told it that the patch broke some of its software.
"The bulletin scheduled to address Security Advisory 2588513 was postponed due to a third-party application compatibility issue that will be addressed by the vendor, with whom we're working directly," Jerry Bryant, group manager in Microsoft's Trustworthy Computing team, said in a statement.
The scrubbed security update was to fix the SSL (secure socket layer) 3.0 and TLS (transport layer security) 1.0 bug demonstrated in September 2011 by researchers who crafted a hacking tool dubbed BEAST, for "Browser Exploit Against SSL/TLS."
SAP, the German developer that creates enterprise business operations and management software, was the third-party vendor who reported compatibility problems. Microsoft added that it would rather pull a bulletin than "ship something that might inconvenience customers."
Microsoft did patch the vulnerability exploited by the Duqu intelligence-gathering Trojan, however; that flaw had been the subject of an advisory the company issued in early November after news broke of what some called a possible precursor to the next Stuxnet, the ultra-sophisticated worm that sabotaged Iran's nuclear program in 2010.
That update -- Microsoft calls them "bulletins" -- was one of three rated "critical," the company's top threat ranking. The remaining 10 were labeled "important," the next-lowest rating.
Microsoft called out the Duqu update, MS11-087, and another, MS11-092, as the ones customers should apply first. The latter affects Windows Media Player, Microsoft's audio-video-rich content utility.
Several security experts agreed with Microsoft's assessment of MS11-087.
"Duqu had to be at the top of the list, even though it was a very targeted attack," said Andrew Storms, director of security operations at nCircle Security.
"Now that they've patched the vulnerability, we'll have lots of people reverse engineering the patch to weaponize a drive-by exploit," said Wolfgang Kandek, chief technology officer at Qualys.
Duqu attacks uncovered this fall relied on malicious Word documents fed to victims as email attachments. But today Microsoft acknowledged that the underlying vulnerability could also be exploited using browser-based attacks.
In a post to Microsoft's Security & Defense Research blog, Chengyun Chu and Jonathan Ness, engineers at the Microsoft Security Response Center, noted an until-now-undisclosed "browser-based attack vector" via IE.
Jason Miller, of VMware's research and development team, warned that other browsers might be vulnerable to such attacks, too. For that reason and others, Miller expected hackers to eagerly dig into the Duqu fix.
"Microsoft dug deeper into the vulnerability, and discovered more attack vectors [than Word] because they are privy to the source code," Miller said, praising Microsoft's work. "But if I'm an attacker and I know Duqu was effective, I'd look into whether it could affect multiple browsers. That would give me an even bigger attack vector to use."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts