Microsoft fits 7 patches into .ANI emergency update

Microsoft fits 7 patches into .ANI emergency update

Summary: Microsoft's out-of-band update for the critical -- and under attack -- animated cursor (.ani) vulnerability has finally  crossed the finish line, one week ahead of Redmond's own schedule but more than three months after it was first reported by a private security research company.

SHARE:
78

Microsoft's out-of-band update for the critical -- and under attack -- animated cursor (.ani) vulnerability has finally  crossed the finish line, one week ahead of Redmond's own schedule but more than three months after it was first reported by a private security research company.

The MS07-017 update, which should be considered super high-priority, includes patches for a total of seven vulnerabilities, three affecting Windows Vista.

In addition to Windows Vista, the update applies to Windows 2000 SP4, Windows XP SP2, Windows Server 2003, Windows Server 2003 SP1, and Windows Server 2003 SP2.

The .ANI flaw, which was discovered by Determina and reported to Microsoft in December 2006, is the only bug rated "critical" across the board.  Microsoft's brief description explains why:

A remote code execution vulnerability exists in the way that Windows handles cursor, animated cursor, and icon formats. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

The decision to dump seven patches into this update is a bit of a surprise but that does not mean that next Tuesday's scheduled release of fixes is being cancelled.  A spokesman for the MSRC told me this morning that more patches are coming down the pike on April 10, 2007.

The other six updates address a range of privilege escalation and denial-of-service flaws affecting Windows users. 

One of those bugs -- a kernel issue related to the Graphics Rendering Engine -- is particularly interesting, since it was known to Microsoft since October 2004.  I'll have a separate blog entry coming on this bug, the disclosure issues surrounding it, and the sudden decision to dump it into a high-priority update.

Topics: Microsoft, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

78 comments
Log in or register to join the discussion
  • Doesn't surprise me that there's more than one fix in this update

    Microsoft often batches up fixes that are in the same file (or a set of related files) into a single update. In this case, the files are user32.dll and win32k.sys (as well as gdi32.dll and mf3216.dll on pre-Vista systems).

    Microsoft has said that it was preparing the animated cursor fix for release on April 10. Evidently it was also preparing these other 6 fixes as well. At the time the animated cursor flaw was made public, they were already weeks into testing the single update that contained all 7 fixes. So if you need to rush it out, what's best to do: continue testing that single update, or roll back the other 6 fixes, make a new update with just the one fix, and start testing over?

    Of course Microsoft released all seven fixes early; not surprising at all.
    PB_z
    • Yesterday I claimed that

      the .ani issue has been around since December 2006 . Someone wanted proof , well here it is .I wonder what took them this long to finally come out with the fix . No_Axe claimed yesterday that the Mozilla team should fix Firefox immediately . Well guess what , the fix is already here , and Mozilla didn't even have to do anything .
      I'm Ye, the MS SHILL .
      • Neither did the IE team

        The IE team didn't even have to do anything either :)
        PB_z
        • So,

          the Microsoft IE team is a completely separate identity than the Microsoft OS team?

          Microsoft vs Microsoft? Kinda reminds me of the old Mad Magazine Spy vs Spy cartoon.
          Cardinal_Bill
  • Well Vista the cracks are showing up already

    NT
    mrlinux
    • Better than the megapatches in Apple and Linux

      Better than the megapatches in Apple and Linux
      http://blogs.zdnet.com/security/?p=128
      http://blogs.zdnet.com/security/?p=124

      All the other patches in this Microsoft emergency update other than the ANI flaw were for local privilege escalation; not remote execution. Cracks? Yes. But not mega gaping holes in Apple and the mega patches you need for Linux distros.
      georgeou
      • What mega patches?

        I have seen maybe 10 total March. 10 total patches, 0 were for the Linux kernel. All were for applications. ]:)
        Linux User 147560
      • ah, so sweet

        Very sweet George, as most have pointed out to you, and probably will have to do till the end of times.

        1. Your link is for [b]one[/b] distro
        2. Depending on the function you would need to implement all or none of these

        Have you looked into the details of said patches as they might also be just some kind of local privilege escalation.

        for once just surpes you're knee jerk reaction. Holes in software are a part of life whether we like it or not, live with it. You prefer Windows, so worry about windows. And let other people worry about their respective OS's of choice.

        The only thing that strikes me as strange is why they put in these other patches, instead of waiting till next weeks patch tuesday. But then again, they provide patches and we all should be happy, that the software is patched and another attack vector is removed.
        tombalablomba
        • The patches came out quickly because of the alarm that was sounded .

          Folks have been exploiting this for sometime , in fact last I recalled there were 150 websites that had code written into it to take advantage of this flaw . If anything I wonder why Mr. Ou isn't staying on topic anymore . You really should stop the butt sniffing , it looks really bad on your part . I'm wondering where is Mikey & L.D. are ?
          Intellihence
          • that's only for the ani

            not all patches are for the ani, that's what makes me wonder.

            My main response to George is why always the knee jerk response to anything negative in the feedback and then responding with something he's got no credibility on, namely Linux, or apple.
            tombalablomba
        • Good advice. It should work both ways.

          <i>You prefer Windows, so worry about windows.</i>

          It would be nice if the Linux folks would follow this rule instead of always jumping in on discussions about Windows issues with the "How great thou art, Linux" comments. Even if Linux is more secure, there are those who prefer Windows, for whatever reason. There are those who prefer Linux, for whatever reason. To them I say <i>You prefer Linux, so worry about Linux.</i>

          Oh, I forgot, you don't have to.
          Flying Pig
          • You're right

            Only problem is that most Linux users also use windows....

            vice versa this mostly not applies.

            I hardly use windows @ all, so i decided to refrain from making remarks over it from now on. and when i run it, it's in vmware.
            tombalablomba
          • Using isn't the issue...It's which OS you prefer.

            It comes down to which OS you <i>prefer</i>. I use both, but I have my preference. I just seems that many who, from their regular posts, obviously prefer Linux, like to constantly preach their <i>opinion</i> to anyone who views things differently than their narrow minded perspective. It's an <b><i>opinion</b></i>; there is no right or wrong answer. Their opinion has been noted. The question is, are they mature enough to respect the opinion of others?
            Flying Pig
          • And the answer probably is

            No, my pref lies with Linux, unfortunately 2 many zealots around on both sides which tend to ruin the discussion.
            tombalablomba
      • Yep, Windows has now become...

        death by a thousand cuts. And like the airline industry, the software market has become so numb to each new slice that complaints are down simply because the baseline expectation has fallen away completely. Now "As long as I get there alive" is an acceptable level of service for airline companies. Since Melissa and Slammer, "As long as it doesn't bring down my whole network" is the acceptable level of service for software. Having to spend 20 minutes once a day bringing down a new image because somebody managed to get spyware installed to their system or openend up something they shouldn't have and got infected with a virus is just part of a days work. It averages out to a little over 2 weeks a year, but who even counts that kind of productivity loss when it's stretched out over a year?
        jasonp@...
      • Better than the megapatches in Apple and Linux

        I too would like to know about these so called "megapatches" and "mega gaping holes" for linux" Anyone that runs any type of M$ OS or software in my business is automatically FIRED by me. Only a fool would run M$ for any type of business.

        Vista = Virus, Instability Spyware, Trojans, and Application Problems ... Just say NO to VISTA

        http://goodbye-microsoft.com/
        uM0p ap!sdn
      • I Just Fired Up Ubuntu Today For First Time In 3 Months

        All I had were app patches..

        What the heck are you talking about?

        Sniffing the white out again?
        itanalyst
        • Another distro?

          Or another benchmark to run? Can't be any other reason to run it ;-)
          TonyMcS
      • Once more...

        "Pay no attention to the man behind the curtain".

        Damn George! You are nothing if not consistent!

        RED HERRING ALERT!!!!

        Can't say something bad about MS...talk about something other with a problem...and it doesn't matter if the basis of that problem is with a library provided by MS...shame on them for not creating their very own pile of crap just like MS...

        Getting tired of this same old same old from you, try to be more creative in the future please. Mike Cox manages it...and he works here for free.
        Cardinal_Bill
      • Better than exploits in the wild I might add !

        At least with Apple & Linux things get fixed promptly , which is more than I can say for Microsoft . OK Microsoft cheerleaders start the bashing . Mr. Ou I like how you spin things but I can spin them back . Funny how Zealots like yourself place the blame elsewhere , I'm not distracted . If anything Windows is still a Piece Of S*it , security and stability my arse .
        Intellihence