Microsoft to release ANI patch a week early

By on
Microsoft to release ANI patch a week early

Microsoft announced on Sunday that it will release an out-of-band patch to fix a vulnerability in Windows Animated Cursor Handling (ANI) that some security experts are calling one of the most significant flaws in years.

The ANI bug leaves open to attack any webpage email or content that can load an animated cursor, allowing attackers to run arbitrary code on users’ systems. Over the weekend ANI exploits snowballed, wrecking the weekend for many security professionals responding to attacks.

On Friday, Secunia reported the vulnerability as “extremely critical” and eEye Digital released a third-party patch to service those anxious to protect systems before Microsoft releases its sanctioned fix.

According to Ken Dunham of iDefense Labs, researchers have found over 150 malware samples utilising the vulnerability in the wild as of early Sunday morning.

He reported that a worm, a spam run and generation kits exploiting the flaw now exist in the wild. On Saturday Websense reported over 100 ANI exploitation sites in the wild.

“This is undoubtedly a serious issue that will persist for many months if not years, attacking vulnerable computers,” Dunham says.

“iDefense believes the new ANI exploit will be a long term persistent threat, one of the most significant we've seen in the past three years.”

Dunham reported that many of the ANI attack kits were based in China, with a focus on the theft of role-playing game credentials to sell on the black market. While most exploits currently impact only Windows XP SP2, he noted that the damage will likely spread.

“It's trivial to modify the exploit to work on other builds of operating systems,” he said, “iDefense has also found that it's trivial to modify the exploit to work through a Windows Explorer vector.”

Microsoft plans to release the patch this Tuesday, a full week before its regularly-scheduled patch release, in response to widespread exploits.

“Microsoft originally planned to release the update on Tuesday, April 10, 2007 as part of its regular monthly release of security bulletins,” a Microsoft spokesperson said.
“However, Microsoft is aware of the existence of a public attack utilising the vulnerability. Since testing has been completed earlier than anticipated, Microsoft has released the update ahead of schedule to help protect customers.”

The patch may not come quickly enough for bleary-eyed security professionals who have been working overtime to mitigate risks.“Happy April Fool's Day, no joking,” said Ken Dunham of iDefense Labs in an advisory on Sunday, “it will be very busy today and as we head into the work week.”
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
a ani early microsoft patch release security to week
In Partnership With

Most Read Articles

Australia to 'fast-track' permanent residency for highly-skilled tech migrants

Australia to 'fast-track' permanent residency for highly-skilled tech migrants
Coles taps off Visa debit in transaction network tussle

Coles taps off Visa debit in transaction network tussle
NAB junk software bill balloons to $500m in cloud app exodus

NAB junk software bill balloons to $500m in cloud app exodus
Westpac ATM sale spurs other banks to junk machines

Westpac ATM sale spurs other banks to junk machines
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?
Your Microsoft Security journey starts here
Your Microsoft Security journey starts here
Is your AWS framework well-architected?
Is your AWS framework well-architected?
Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?

Events

Log In

Username / Email:
Password:
  |  Forgot your password?