Microsoft's out-of-band update for the critical -- and under attack -- animated cursor (.ani) vulnerability has finally crossed the finish line, one week ahead of Redmond's own schedule but more than three months after it was first reported by a private security research company.
The MS07-017 update, which should be considered super high-priority, includes patches for a total of seven vulnerabilities, three affecting Windows Vista.
In addition to Windows Vista, the update applies to Windows 2000 SP4, Windows XP SP2, Windows Server 2003, Windows Server 2003 SP1, and Windows Server 2003 SP2.
The .ANI flaw, which was discovered by Determina and reported to Microsoft in December 2006, is the only bug rated "critical" across the board. Microsoft's brief description explains why:
A remote code execution vulnerability exists in the way that Windows handles cursor, animated cursor, and icon formats. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
The decision to dump seven patches into this update is a bit of a surprise but that does not mean that next Tuesday's scheduled release of fixes is being cancelled. A spokesman for the MSRC told me this morning that more patches are coming down the pike on April 10, 2007.
The other six updates address a range of privilege escalation and denial-of-service flaws affecting Windows users.
One of those bugs -- a kernel issue related to the Graphics Rendering Engine -- is particularly interesting, since it was known to Microsoft since October 2004. I'll have a separate blog entry coming on this bug, the disclosure issues surrounding it, and the sudden decision to dump it into a high-priority update.