Microsoft warns of zero-day Windows bug
Vista is at risk to critical drive-by vulnerability in animated cursor files
Computerworld - Microsoft Corp. confirmed today that Windows, including Vista, contains a critical unpatched vulnerability that can be used by attackers to usurp PCs when users surf to malicious sites.
In a security advisory posted this morning, Microsoft's Security Response (MSRC) team acknowledged a bug in Windows' animated cursor, a component that lets developers show a short animation at the mouse pointer's location. Animated cursor files typically use the .ani extension, but the MSRC warned that hackers might disguise malicious animated cursors with other extensions. The SANS Institute, in fact, said it had received reports of in-the-wild exploits using files renamed to .jpg.
"An attacker could try to exploit the vulnerability by creating a specially crafted Web page," the Microsoft advisory warned. "An attacker could also create a specially crafted e-mail message and send it to an affected system. Upon viewing a Web page, previewing or reading a specially crafted message, or opening a specially crafted e-mail attachment, the attacker could cause the affected system to execute code."
Antivirus vendor McAfee Inc. first noted the drive-by vulnerability late yesterday, when Craig Schmugar, virus research manager at the company's Avert Labs, blogged about tests that showed an up-to-date copy of Windows XP SP2 was vulnerable via Internet Explorer 6 and 7. According to Schmugar, users running Firefox 2.0 appear to be safe from drive-by exploits using the vulnerability.
Although Microsoft listed Windows Vista among the affected editions -- which include Windows 2000, XP and Server 2003 -- it also said that on Vista, IE 7 in its default configuration would protect users. "Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known Web-based attacks due to Internet Explorer 7.0 protected mode," the MSRC said. However, protected mode, while on by default, can be disabled by the user.
Simply by dragging a malicious .ani file to the Vista desktop, Schmugar was able to send the operating system over the edge, and into an endless "crash-restart" loop. He has posted a video of the Vista crash on the Avert Labs site, as well as on YouTube.
In response to the new threat, security companies immediately issued their own alerts and raised overall Internet risk rankings. Symantec Corp., for example, pushed its ThreatCon to "2."
The MSRC downplayed the threat by claiming only "very limited" attacks were in progress and saying they were "not widespread" at the moment. "[But] we are monitoring the issue and will update the advisory as new information becomes available," Adrian Stone, an MSRC program manager, said on the group's blog.
Microsoft said it would patch the bug in a security update, but would not commit to when. "[We] will release un update for this issue at the conclusion of our investigation," a spokeswoman said today.
The next scheduled update cycle for the developer is April 10. Until then, Microsoft's advice to users remained basic: "Do not visit untrusted Web sites or view unsolicited e-mail."
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts