Microsoft to release ANI patch a week early

By on
Microsoft to release ANI patch a week early

Microsoft announced on Sunday that it will release an out-of-band patch to fix a vulnerability in Windows Animated Cursor Handling (ANI) that some security experts are calling one of the most significant flaws in years.

The ANI bug leaves open to attack any webpage email or content that can load an animated cursor, allowing attackers to run arbitrary code on users’ systems. Over the weekend ANI exploits snowballed, wrecking the weekend for many security professionals responding to attacks.

On Friday, Secunia reported the vulnerability as “extremely critical” and eEye Digital released a third-party patch to service those anxious to protect systems before Microsoft releases its sanctioned fix.

According to Ken Dunham of iDefense Labs, researchers have found over 150 malware samples utilising the vulnerability in the wild as of early Sunday morning.

He reported that a worm, a spam run and generation kits exploiting the flaw now exist in the wild. On Saturday Websense reported over 100 ANI exploitation sites in the wild.

“This is undoubtedly a serious issue that will persist for many months if not years, attacking vulnerable computers,” Dunham says.

“iDefense believes the new ANI exploit will be a long term persistent threat, one of the most significant we've seen in the past three years.”

Dunham reported that many of the ANI attack kits were based in China, with a focus on the theft of role-playing game credentials to sell on the black market. While most exploits currently impact only Windows XP SP2, he noted that the damage will likely spread.

“It's trivial to modify the exploit to work on other builds of operating systems,” he said, “iDefense has also found that it's trivial to modify the exploit to work through a Windows Explorer vector.”

Microsoft plans to release the patch this Tuesday, a full week before its regularly-scheduled patch release, in response to widespread exploits.

“Microsoft originally planned to release the update on Tuesday, April 10, 2007 as part of its regular monthly release of security bulletins,” a Microsoft spokesperson said.
“However, Microsoft is aware of the existence of a public attack utilising the vulnerability. Since testing has been completed earlier than anticipated, Microsoft has released the update ahead of schedule to help protect customers.”

The patch may not come quickly enough for bleary-eyed security professionals who have been working overtime to mitigate risks.“Happy April Fool's Day, no joking,” said Ken Dunham of iDefense Labs in an advisory on Sunday, “it will be very busy today and as we head into the work week.”
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
a ani early microsoft patch release security to week
In Partnership With

Most Read Articles

Centrelink loses welfare payments overhaul chief

Centrelink loses welfare payments overhaul chief
Key EDS witness bought internet degree

Key EDS witness bought internet degree
Aussie Broadband to offer 'best effort' gigabit NBN plans for $149

Aussie Broadband to offer 'best effort' gigabit NBN plans for $149
Commonwealth Bank reveals new chief digital officer

Commonwealth Bank reveals new chief digital officer
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
TechTarget: Organizations Increasing Their Adoption of NFV
TechTarget: Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD
The Maturity of Zero Trust in Australia and New Zealand
The Maturity of Zero Trust in Australia and New Zealand

Events

Log In

Username / Email:
Password:
  |  Forgot your password?