Microsoft releases patch for Windows ANI flaw

By Bill Brenner, Senior News Writer
02 Apr 2007 | SearchSecurity.com

Microsoft Corp. on Tuesday released the anticipated out-of-band patch for the critical Windows ANI cursor-handling flaw. The company originally had planned to release the patch next Tuesday with its normal set of monthly fixes, but officials decided to publish it early because of ongoing attacks against the vulnerability.

This fix marks just the third time that Microsoft has released a security patch outside of the monthly cycle, a clear indicator of the severity of the vulnerability and the company's concern about the attacks. Microsoft officials said the attacks at this point are limited, but they're continuing to monitor the situation. The vulnerability is in how Windows handles animated cursor (.ani) files. Microsoft confirmed last week that attackers could exploit it to run malicious commands on a victim's machine. The flaw can be exploited when users visit a malicious Web site or open a tainted email attachment. Users are at risk even if they are browsing with Internet Explorer 7 on a system running Windows Vista. Most versions of Windows are vulnerable.

Indeed, attackers have wasted no time in exploiting the flaw, according to a variety of security vendors. The Bethesda, Md.-based SANS Internet Storm Center (ISC) took the rare step of raising its alert system to yellow over the weekend because of the number of sites hosting malware that could exploit the flaw.

"We continue to receive reports of sites hosting the malware, possibly to get ready for the Monday work day in Europe and the US," ISC handler Kevin Liston wrote on the organization's Web site.

The Chinese Internet Security Response Team (C.I.S.R.T) has detected a worm-like payload that exploits the ANI flaw. According to the organization's report, "It has the same behavior as Worm.Win32.Fujacks [and] can infect .html .aspx .htm .php .jsp .asp and .exe files." The exploit inserts malicious links into such files and can also be used to send out spam, the organization said.

McAfee Inc. is also reporting a spam campaign that exploits the flaw, saying it has detected "many Web sites linking to other sites that attempt to exploit this vulnerability."

Late last week, third-party security organizations started releasing their own fixes for the flaw, including Aliso Viejo, Calif.-based eEye Digital Security and the Zero-Day Emergency Response Team (ZERT).

"This is a very serious vulnerability that is almost certain to be exploited on a wide-scale basis," ZERT member Randy Abrams said in an emailed statement. "If the vulnerability were limited to animated cursors alone it would not be as serious, but there are reports of .jpg files, which are very commonly used in Web pages, being exploited as well."