Microsoft to release ANI patch a week early

By on
Microsoft to release ANI patch a week early

Microsoft announced on Sunday that it will release an out-of-band patch to fix a vulnerability in Windows Animated Cursor Handling (ANI) that some security experts are calling one of the most significant flaws in years.

The ANI bug leaves open to attack any webpage email or content that can load an animated cursor, allowing attackers to run arbitrary code on users’ systems. Over the weekend ANI exploits snowballed, wrecking the weekend for many security professionals responding to attacks.

On Friday, Secunia reported the vulnerability as “extremely critical” and eEye Digital released a third-party patch to service those anxious to protect systems before Microsoft releases its sanctioned fix.

According to Ken Dunham of iDefense Labs, researchers have found over 150 malware samples utilising the vulnerability in the wild as of early Sunday morning.

He reported that a worm, a spam run and generation kits exploiting the flaw now exist in the wild. On Saturday Websense reported over 100 ANI exploitation sites in the wild.

“This is undoubtedly a serious issue that will persist for many months if not years, attacking vulnerable computers,” Dunham says.

“iDefense believes the new ANI exploit will be a long term persistent threat, one of the most significant we've seen in the past three years.”

Dunham reported that many of the ANI attack kits were based in China, with a focus on the theft of role-playing game credentials to sell on the black market. While most exploits currently impact only Windows XP SP2, he noted that the damage will likely spread.

“It's trivial to modify the exploit to work on other builds of operating systems,” he said, “iDefense has also found that it's trivial to modify the exploit to work through a Windows Explorer vector.”

Microsoft plans to release the patch this Tuesday, a full week before its regularly-scheduled patch release, in response to widespread exploits.

“Microsoft originally planned to release the update on Tuesday, April 10, 2007 as part of its regular monthly release of security bulletins,” a Microsoft spokesperson said.
“However, Microsoft is aware of the existence of a public attack utilising the vulnerability. Since testing has been completed earlier than anticipated, Microsoft has released the update ahead of schedule to help protect customers.”

The patch may not come quickly enough for bleary-eyed security professionals who have been working overtime to mitigate risks.“Happy April Fool's Day, no joking,” said Ken Dunham of iDefense Labs in an advisory on Sunday, “it will be very busy today and as we head into the work week.”
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
a ani early microsoft patch release security to week

Sponsored Whitepapers

Technology skill development: The strategy for building better teams
Technology skill development: The strategy for building better teams
Find unhappy users before they complain
Find unhappy users before they complain
How to reduce the risk of phishing and ransomware
How to reduce the risk of phishing and ransomware
Prevent fraud and phishing attacks with DMARC
Prevent fraud and phishing attacks with DMARC
Security awareness training strategies for account takeover protection
Security awareness training strategies for account takeover protection

Events

Most Read Articles

Services Australia shifts most Centrelink payments to SAP S/4 HANA

Services Australia shifts most Centrelink payments to SAP S/4 HANA
ACCC clears 5G as a substitute for fixed-line broadband

ACCC clears 5G as a substitute for fixed-line broadband
Service NSW to hire 200 engineers, designers

Service NSW to hire 200 engineers, designers
ANZ sets itself up for a new workforce transformation

ANZ sets itself up for a new workforce transformation

Log In

Email:
Password:
  |  Forgot your password?