Microsoft releases patch for Windows ANI flaw

By Bill Brenner, Senior News Writer 02 Apr 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft Corp. on Tuesday released the anticipated out-of-band patch for the critical MS07-017 Windows ANI cursor-handling flaw. The company originally had planned to release the patch for MS07-017 next Tuesday with its normal set of monthly fixes, but officials decided to publish it early because of ongoing attacks against the vulnerability.

This fix marks just the third time that Microsoft has released a security patch outside of the monthly cycle, a clear indicator of the severity of the vulnerability and the company's concern about the attacks. Microsoft officials said the attacks at this point are limited, but they're continuing to monitor the situation.

The MS07-017 vulnerability is in how Windows handles animated cursor (.ani) files. Microsoft confirmed last week that attackers could exploit it to run malicious commands on a victim's machine. The flaw can be exploited when users visit a malicious Web site or open a tainted email attachment. Users are at risk even if they are browsing with Internet Explorer 7 on a system running Windows Vista. Most versions of Windows are vulnerable.

Microsoft Word ANI zero-day: Microsoft warns of Windows zero-day; third-party fix released: Attackers are exploiting a new zero-day flaw in Windows, Microsoft confirmed Thursday. eEye Digital Security has released a temporary patch.

Indeed, attackers have wasted no time in exploiting the flaw, according to a variety of security vendors. The Bethesda, Md.-based SANS Internet Storm Center (ISC) took the rare step of raising its alert system to yellow due to the ANI exploit over the weekend because of the number of sites hosting malware that could exploit the flaw.

"We continue to receive reports of sites hosting the malware, possibly to get ready for the Monday work day in Europe and the US," ISC handler Kevin Liston wrote on the ISC Web site.

The Chinese Internet Security Response Team (C.I.S.R.T) has detected a worm-like payload that exploits the ANI flaw. According to the C.I.S.R.T ANI zero-day report, "It has the same behavior as Worm.Win32.Fujacks [and] can infect .html .aspx .htm .php .jsp .asp and .exe files." The exploit inserts malicious links into such files and can also be used to send out spam, the organization said.

McAfee Inc. is also reporting a spam campaign that exploits the flaw, saying it has detected "many Web sites linking to other sites that attempt to exploit this vulnerability."

Late last week, third-party security organizations started releasing their own fixes for the flaw, including Aliso Viejo, Calif.-based eEye Digital Security and the Zero-Day Emergency Response Team (ZERT).

"This is a very serious vulnerability that is almost certain to be exploited on a wide-scale basis," ZERT member Randy Abrams said in an emailed statement. "If the vulnerability were limited to animated cursors alone it would not be as serious, but there are reports of .jpg files, which are very commonly used in Web pages, being exploited as well."

Tags: Security Patch Management,  Securing Productivity Applications,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary