Microsoft fits 7 patches into .ANI emergency update

Summary:Microsoft's out-of-band update for the critical -- and under attack -- animated cursor (.ani) vulnerability has finally  crossed the finish line, one week ahead of Redmond's own schedule but more than three months after it was first reported by a private security research company.

Microsoft's out-of-band update for the critical -- and under attack -- animated cursor (.ani) vulnerability has finally  crossed the finish line, one week ahead of Redmond's own schedule but more than three months after it was first reported by a private security research company.

The MS07-017 update, which should be considered super high-priority, includes patches for a total of seven vulnerabilities, three affecting Windows Vista.

In addition to Windows Vista, the update applies to Windows 2000 SP4, Windows XP SP2, Windows Server 2003, Windows Server 2003 SP1, and Windows Server 2003 SP2.

The .ANI flaw, which was discovered by Determina and reported to Microsoft in December 2006, is the only bug rated "critical" across the board.  Microsoft's brief description explains why:

A remote code execution vulnerability exists in the way that Windows handles cursor, animated cursor, and icon formats. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

The decision to dump seven patches into this update is a bit of a surprise but that does not mean that next Tuesday's scheduled release of fixes is being cancelled.  A spokesman for the MSRC told me this morning that more patches are coming down the pike on April 10, 2007.

The other six updates address a range of privilege escalation and denial-of-service flaws affecting Windows users. 

One of those bugs -- a kernel issue related to the Graphics Rendering Engine -- is particularly interesting, since it was known to Microsoft since October 2004.  I'll have a separate blog entry coming on this bug, the disclosure issues surrounding it, and the sudden decision to dump it into a high-priority update.

Topics: Microsoft, Security, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.