Microsoft releases early ANI fix in GDI patch

Share this article:

Microsoft has released an out-of-cycle fix - one week before its scheduled Patch Tuesday release - for numerous vulnerabilities in Graphics Device Interface (GDI) that could allow remote code execution.

The fix, which resolves an issue in the way Windows handles ANI files, affects Microsoft software for Windows 2000, XP, Server 2003 and Vista operating systems.

Researchers from a list of vendors and organizations have reported attacks exploiting the flaw this week, many traced back to China.

By Monday, Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said more than 150 malware samples exploiting the flaw were in the wild. Websense reported more than 100 exploitation sites by Saturday morning.

Microsoft revealed Monday in an advance notification that it would release a lone bulletin for Windows with a maximum severity rating of "critical." The update will require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

A Microsoft spokesperson confirmed earlier this week that MS07-017 will address a vulnerability in Windows ANI.

The spokesperson said attacks and customer impact were limited, although Microsoft was aware of the existence of a public attack on the flaw.

Meanwhile, eEye Digital Security, which released a third-party patch for the ANI flaw earlier in the week, updated its fix on Monday. A hacker using the alias Jamikazu posted zero-day exploit code that bypasses eEye’s patch to the Milw0rm site on Sunday.

ZERT (the Zeroday Emergency Readiness Team) also released an unauthorized fix for the flaw this week.

The out-of-cycle patch is the first such fix since Microsoft released a patch last September for a flaw in the way Internet Explorer handles vector markup language.

Redmond also released an early fix for a flaw in Windows metafile – a vulnerability often compared to the ANI flaw - in late 2005.

Click here to email Online Editor Frank Washkuch.

Looking for a new job? SCMagazine.com has the latest IT security employment opportunities. Click here for our jobs page.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

Report: Stolen card data is crime that concerns Americans most

A recent Gallup Crime poll indicates that Americans' top two worries revolve around having credit card data stolen or their computer or smartphones compromised.

Pirate Bay co-founder found guilty for hacking IT service provider

Gottfrid Svartholm Warg was found guilty of hacking an IT service provider in Denmark. This is his second court case for illegally accessing data.

Assume Drupal 7 sites are compromised, unless patched or updated to 7.32 ...

Assume every Drupal 7 website is compromised, unless patched or updated to Drupal 7.32 within seven hours of the disclosure of a highly critical SQL injection vulnerability.