Animated cursor attacks escalate; emergency patch coming

The decision follows a weekend of escalated attacks, which include a self-propagating worm spotted in China and the discovery of hundreds (possibly thousands) of hacked Web sites hosting animated cursor exploits.

According to Christopher Budd, a program manager in the MSRC (Microsoft Security Response Center), the out-of-band patch is in response to the increased attacks and the public disclosure of proof-of-concept code.

"In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday April 3, 2007," Budd said in a blog entry.

The proof-of-concept code is available at Milw0rm.com, a public repository for free exploits. The remote exploit code even bypasses the unofficial patch being offered by eEye Digital Security.

Dave Aitel's Immunity has also released an exploit in its CANVAS penetration testing platform.

In addition to public exploit code, the Chinese Internet Security Response Team has found evidence of a worm attack linked to the .ani zero-day vulnerability.

We have received this kind of new worm today. It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link.

The worm is being downloaded from "microfsot.com," a typo-squatted domain.