Some IT shops are having trouble installing the out-of-cycle Windows ANI patch Microsoft released Tuesday.
The Bethesda, Md.-based SANS Internet Storm Center (ISC) reported some installation problems with the patch released in MS07-017, which fixes a glitch in how Windows handles animated cursor (.ani) files.
"We have received several emails today from people who are having problems with the patch," ISC handler Deborah Hale wrote on the site. She said Microsoft is working to address the problems and is asking anyone who has trouble after installing the patch to contact Microsoft Product Support Services at 1-866-PCSAFETY. The ISC site links to Microsoft, which addresses some of the problems reported so far.
MS07-017 was released a week ahead of Microsoft's regularly-scheduled security update because the flaw has been targeted in a number of attacks. Microsoft confirmed last week that attackers could exploit it to run malicious commands on a victim's machine. The flaw can be exploited when users visit a malicious Web site or open a tainted email attachment. Users are at risk even if they are browsing with Internet Explorer 7 on a system running Windows Vista. Most versions of Windows are vulnerable.
Alexander Sotirov, a researcher at Redwood City, Calif.-based Determina Inc. who discovered the ANI flaw last December and reported it to Microsoft, said in the Determina Security blog that the popular Mozilla Firefox browser is also susceptible to the flaw.
His posting included a short flash video demonstrating an exploit against the ANI vulnerability in which he says, "It turns out that Firefox uses the same vulnerable Windows component to process .ani files, which means it can be exploited in a way similar to Internet Explorer."
The news may be disheartening to Firefox users who view the open source browser as a safer alternative to the much-attacked Internet Explorer.
Mozilla has already released a number of Firefox security updates this year. Mozilla security chief Window Snyder said in a recent interview that Mozilla tries to issue a security upgrade every six weeks or so.
"We're continuously looking for vulnerabilities and continuously fixing them," she said at the time. "Users don't have to wait for the next version of the product to get a lot of the benefits of the security work we're doing. They get it on a regular basis."