Microsoft Plans One Critical Fix On Patch Tuesday

What won't be included is a fix for the Windows vulnerability exploited by Duqu, the malware believed created for cyber-espionage and a possible relative of the infamous Stuxnet worm that damaged Iranian nuclear facilities last year. Microsoft has confirmed that a Duqu installer recovered by a Hungarian university lab took advantage of a zero-day vulnerability in Windows. While the software maker hasn't said when it will release a patch, one is expected by Friday, according to Paul Henry, forensic analyst at Lumension Security.

Microsoft has given the critical flaw set for release next Tuesday an exploitability rating of 3, according to Henry. Such a rating means an attacker is unlikely to be able to create malware that could take full advantage of the vulnerability. "Microsoft suggests it is unlikely this patch will be used," Henry said in a commentary.

The Duqu installer reported this week was hidden in a Word document distributed via e-mail to trick recipients into opening the file. Some experts say code similarities between Duqu and Stuxnet show both malware were written by the same team. Others dispute the claim, arguing that Duqu is more likely a spinoff. The Budapest University of Technology and Economics has shared the installer with Microsoft and security vendor Symantec, which have not shared the code with anti-virus companies.

Duqu, which was first found in Europe, was initially believed to be targeted at makers of industrial control systems and certificates of authority. Security experts have backed away from those early claims, saying only that the malware was targeted at suppliers of industrial facilities in a dozen countries.