Microsoft announced on Sunday that it will release an out-of-cycle patch to fix a vulnerability in Windows animated cursor handling (ANI) that some security experts are calling one of the most significant flaws in years.
The ANI bug leaves open to attack any web page, email or content that can load an animated cursor, allowing attackers to run arbitrary code on users’ systems. Over the weekend, ANI exploits snowballed, wrecking the weekend for many security professionals responding to attacks.
Microsoft will release the patch this Tuesday, a full week before its regularly scheduled patch release, in response to widespread exploits.
“Microsoft originally planned to release the update on Tuesday, April 10 as part of its regular monthly release of security bulletins,” a Microsoft spokesperson said. “However, Microsoft is aware of the existence of a public attack utilizing the vulnerability. Since testing has been completed earlier than anticipated, Microsoft has released the update ahead of schedule to help protect customers.”
The early patch may not come quickly enough for bleary-eyed security professionals who have been working overtime to mitigate risks.
“Happy April Fools' Day, no joking,” said Ken Dunham. “it will be very busy today as we head into the work week.”
On Friday, Secunia reported the vulnerability as “extremely critical,” and eEye Digital Security released a third-party patch to service those anxious to protect systems before Microsoft releases its sanctioned fix. The Zeroday Emergency Response Team (ZERT) on Saturday also released a personal fix.
According to Ken Dunham of VeriSign iDefense Labs, as of early Sunday morning, researchers had found more than 150 malware samples utilizing the vulnerability in the wild. He reported that a worm, a spam run and generation kits exploiting the flaw now exist in the wild. On Saturday, Websense reported more than 100 ANI exploitation sites in the wild.
“This is undoubtedly a serious issue that will persist for many months, if not years, attacking vulnerable computers,” Dunham said. “iDefense believes the new ANI exploit will be a long-term persistent threat, one of the most significant we've seen in the past three years.”
Dunham reported that many of the ANI attack kits are based out of China, with a focus on the theft of role-playing game credentials to sell on the black market. While most exploits currently impact only Windows XP Service Pack 2, he noted that the damage will likely spread.
“It's trivial to modify the exploit to work on other builds of operating systems,” he said, “iDefense has also found that it's trivial to modify the exploit to work through a Windows Explorer vector.”
Microsoft previously released out-of-band patches in September to fix a vector markup language flaw and in December 2005 to repair a Windows metafile vulnerability.
Click here to email West Coast Bureau Chief Ericka Chickowski.