Microsoft patches Windows cursor vulnerability
It released fixes for seven flaws altogether, including two that affect Vista
April 3, 2007 12:00 PM ETComputerworld - Microsoft Corp. today patched the already-exploited Windows animated cursor vulnerability with a critical out-of-cycle security update that also fixed six other flaws.
The MS07-017 security bulletin, released a week ahead of the regularly scheduled April 10 patch date, fixes the ANI vulnerability that first surfaced last week when Microsoft acknowledged ongoing attacks. Since then, the bug has been tagged as "very dangerous" by security experts, has been distributed by hundreds of malicious Web sites and was the focus of multiple spam campaigns designed to dupe users into visiting criminal Web sites.
On Sunday, Microsoft promised it would push out an early patch.
Today's update is only the third since January 2005 to be posted outside the normal monthly schedule.
Microsoft based the early release decision on its own prognostications. "We have been monitoring the situation throughout and our indications, and those of our MSRA [Microsoft Security Response Alliance] partners, show there is a threat for attacks against this vulnerability to increase, although we haven't seen anything widespread," Christopher Budd, program manager at Microsoft Security Response Center (MSRC), said in a blog entry today.
The security bulletin rates the ANI bug as critical -- Microsoft's highest threat level in its four-step system -- across all supported editions of Windows: 2000, XP SP2, Windows Server 2003 and Vista. The vulnerability marks the first critical Vista bug disclosed and patched since the operating system's release Jan. 30, and the first flaw in Vista's own code.
Six other vulnerabilities were patched in the update; five were rated important -- one step below critical -- while the sixth was ranked even lower, as moderate. The half dozen fixes deal with a denial of service bug triggered by malicious Windows Metafile images; a vulnerability in Enhanced Metafile (EMF) image files that can elevate an attacker's privileges on a compromised computer; and a similar flaw in Windows' graphics-rendering engine. Six of the seven flaws fixed today allow hackers to hijack a PC.
Vista also is affected by the EMF vulnerability, said Microsoft, although it rated the threat as important, not critical.
Users can obtain the MS07-017 patches via Windows' Automatic Update, from the Microsoft Update service or through enterprise tools such as Windows Server Update Services (WSUS) and Software Update Services (SUS).
Even with the seven fixes issued today, Microsoft said its regularly scheduled updates next week will still take place. Limited information on those patches will be posted Thursday in an advance notice, as is the company's usual practice.
Microsoft
Additional Resources



White Papers & Webcasts
The State of PCI DSS Compliance at Organizations Today
Download this resource today!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Eradicate Spam & Gain 100% Asurance of Clean Mailboxes
Get this paper now!
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Mastering eDiscovery: The IT Manager's Guide to Preservation, Protection & Production
Get this paper now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
