iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Microsoft Fixes Animated Cursor Flaw
Search:
[ insider_reports_insider ]

Microsoft Fixes Animated Cursor Flaw



David Utter
Staff Writer
2007-04-04

SecurityProNews: Insider Reports Insider Reports RSS Feed


The out of band advisory issued by Microsoft corrected the critical animated cursor problem that had been seeing exploits in the wild.

Microsoft Fixes Animated Cursor Flaw
Microsoft Fixes Animated Cursor Flaw

That ANI file problem was not the only one patched outside Microsoft's normal release schedule of the second Tuesday of each month. A total of seven vulnerabilities received fixes in Microsoft's advisory.

Only the animated cursor problem presented a remote code execution threat. Microsoft first received reports of the problem with animated cursors in December 2006. Until recently it appeared the flaw had been overlooked by attackers.

Postings on a Chinese hacker message board caught the attention of researchers at McAfee, including Craig Schmugar who documented the drive-by nature of the ANI exploit on McAfee's Avert Labs blog. He later posted that the exploit used against the Dolphin Stadium website before the Super Bowl was related to this ANI issue.

We asked Schmugar why he thought Microsoft had waited so long to patch this critical issue, especially since Microsoft issued no patches in March:

Unfortunately this happens all the time. Vulnerabilities, even critical ones, can go months before a patch is released. I don't have any specific answers for this case and have no knowledge of why Microsoft didn't release it in March, but it is worth considering these events.

1) March Patch Tuesday was skipped just after the DST change. There were numerous reports of people having problems applying DST patches.
2) The ANI patch today included other fixes to the same Windows components.

Point #2 suggests that they were probably queuing up the issue to release the fix as one patch. It costs Microsoft a lot of money to release a patch, and it costs companies a lot of money to apply those patches. Surely Microsoft was juggling the risk of a vulnerability that was reported to them privately (and not known to be exploit in the wild) versus these costs.

This is a case where waiting did not pay off, but I'm sure there were plenty of cases in the past where waiting did not cause a problem.
The nature of the ANI issue, and the numerous exploits against it in the wild, makes it important to apply this patch as soon as possible to vulnerable systems.

---

AddThis Social Bookmark Button


Tags: , , ,


About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2009 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds