Microsoft Corp. on Tuesday released the anticipated out-of-band
patch for the critical MS07-017 Windows ANI cursor-handling
flaw. The company originally had planned to release the patch
for
MS07-017 next Tuesday with its normal set of monthly fixes, but
officials decided to publish it early because of ongoing attacks
against the vulnerability.
This fix marks just the third time that Microsoft has released a
security patch outside of the monthly cycle, a clear indicator of
the severity of the vulnerability and the company's concern about
the attacks. Microsoft officials said the attacks at this point are
limited, but they're continuing to monitor the situation.
The MS07-017 vulnerability is in how Windows handles animated
cursor (.ani) files. Microsoft confirmed last week that attackers
could exploit it to run malicious commands on a victim's machine.
The flaw can be exploited when users visit a malicious Web site or
open a tainted email attachment. Users are at risk even if they are
browsing with Internet Explorer 7 on a system running Windows
Vista. Most versions of Windows are vulnerable.
Indeed, attackers have wasted no time in exploiting the flaw,
according to a variety of security vendors. The Bethesda, Md.-based
SANS Internet Storm Center (ISC) took the rare step of
raising its
alert system to yellow due to the ANI exploit over the weekend
because of the number of sites hosting malware that could exploit
the flaw.
"We continue to receive reports of sites hosting the malware,
possibly to get ready for the Monday work day in Europe and the
US," ISC handler Kevin Liston wrote on the ISC Web site.
The Chinese Internet Security Response Team (C.I.S.R.T) has
detected a worm-like payload that exploits the ANI flaw. According
to the C.I.S.R.T ANI
zero-day report, "It has the same behavior as
Worm.Win32.Fujacks [and] can infect .html .aspx .htm .php .jsp .asp
and .exe files." The exploit inserts malicious links into such
files and can also be used to send out spam, the organization
said.
McAfee
Inc. is also reporting a spam campaign that exploits the flaw,
saying it has detected "many Web sites linking to other sites that
attempt to exploit this vulnerability."
Late last week, third-party security organizations started
releasing their own fixes for the flaw, including Aliso Viejo,
Calif.-based eEye Digital Security and the Zero-Day Emergency
Response Team (ZERT).
"This is a very serious vulnerability that is almost certain to
be exploited on a wide-scale basis," ZERT member Randy Abrams said
in an emailed statement. "If the vulnerability were limited to
animated cursors alone it would not be as serious, but there are
reports of .jpg files, which are very commonly used in Web pages,
being exploited as well."