Microsoft will roll out four security bulletins tomorrow (Nov. 8) to fix four Windows vulnerabilities that leave unpatched systems open to remote attack.
The updates, part of Microsoft's monthly Patch Tuesday, affect Windows XP, Windows Servers 2003 and 2008, Windows Vista and Windows 7. One of the bulletins is labeled "critical," meaning it tackles a flaw that could be remotely exploited to spread an Internet worm "without user action," Microsoft wrote in its advisory. The critical bug affects all currently supported versions of Windows except Windows XP.
Two of the bulletins are labeled "important" and allow an attacker to remotely execute malicious code on an infected machine or gain elevated privileges; the final comes with a "moderate" tag, which could hinder users' access to certain programs if exploited, although compromising a moderate vulnerability is difficult, Microsoft wrote.
The elephant in the room, the Windows bug currently being exploited by the dangerous Duqu Trojan, won't receive a fix in tomorrow's roundup. Microsoft did, however, push out a temporary workaround for the bug on Friday (Nov. 4) aimed at preventing Duqu, which is believed to be targeting either industrial control facilities or certificate authorities, from doing more damage.
Security experts speculate that Microsoft will tackle the Duqu exploit as soon as it understands the scope of the Trojan, which is expected to be sometime later in November. Waiting a full month until December's Patch Tuesday would be a long time to leave such a high-profile vulnerability unaddressed, and would be a poor move on Microsoft's part, especially now that Duqu is on the tip of everyone's tongues in the security community.
In the meantime, experts advise customers to wait for an official patch from Microsoft and to avoid crooks trying to play off the growing fear and hype about Duqu with scareware or phishing scams.
"I recommend customers wait for official guidance, patches, and other mitigation strategies from Microsoft," said Marcus Carey, researcher from the Boston-based security firm Rapid7. "During times like this, many organizations are easily panicked and could fall victim to social engineering attacks based on the fear of zero-days in the wild."