Microsoft warns of Windows zero-day; third-party fix released

Bill Brenner

Updated March 30 with additional attack details from McAfee Inc. and on a third-part patch offered by eEye.

Attackers are using a new, unpatched flaw in Internet Explorer to compromise machines running a number of versions of Windows, including Vista. Microsoft Corp. confirmed the attacks Thursday in an

    Requires Free Membership to View

advisory on its Web site. The security hole affects Internet Explorer 7, Vista and other versions of the operating system.

Aliso Viejo, Calif.-based eEye Digital Security announced on its zero-day tracker that it has come up with a temporary fix.

"The temporary patch mitigates this vulnerability by preventing cursors from being loaded outside of %SystemRoot%," eEye said. "This disallows Web sites from loading their own, potentially malicious animated icons, while causing little to no business disruption on hosts with the patch installed."

Microsoft confirmed the existence of the zero-day flaw Thursday.

"Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Windows handles animated cursor (.ani) files," the company said in its advisory. "In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted email message or email attachment sent to them by an attacker."

The French Security Incident Response Team (FrSIRT) said in an advisory that the problem is a memory corruption error that surfaces when the operating system renders malformed cursors, animated cursors or icons. Attackers could exploit this to run malicious commands on a victim's machine. The flaw affects:

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: