Animated cursor attacks escalate; emergency patch coming

Summary:Microsoft plans to release an emergency, out-of-cycle Windows update on Tuesday, April 3, 2006 to patch the animated cursor (.ani) vulnerability currently being used in widespread malware attacks.

Microsoft plans to release an emergency, out-of-cycle Windows update on Tuesday, April 3, 2006 to patch the animated cursor (.ani) vulnerability currently being used in widespread malware attacks.

The decision follows a weekend of escalated attacks, which include a self-propagating worm spotted in China and the discovery of hundreds (possibly thousands) of hacked Web sites hosting animated cursor exploits.

According to Christopher Budd, a program manager in the MSRC (Microsoft Security Response Center), the out-of-band patch is in response to the increased attacks and the public disclosure of proof-of-concept code.

"In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday April 3, 2007," Budd said in a blog entry.

The proof-of-concept code is available at Milw0rm.com, a public repository for free exploits. The remote exploit code even bypasses the unofficial patch being offered by eEye Digital Security.

Dave Aitel's Immunity has also released an exploit in its CANVAS penetration testing platform.

In addition to public exploit code, the Chinese Internet Security Response Team has found evidence of a worm attack linked to the .ani zero-day vulnerability.

We have received this kind of new worm today. It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link.

The worm is being downloaded from "microfsot.com," a typo-squatted domain.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.