On April 3, Redmond hustled to release a security bulletin that covered a subtle but dangerous exploit that had gone unpatched for a long time. The animated-cursor exploit was a hostile code that could be deviously slipped into a system through a Web browser. Even worse, every supported version of Windows was affected, including Windows Vista.
On top of everything else, the patch for this exploit created problems of its own -- no thanks to incompatibilities with some third-party programs that used the same region of memory as the updated components. The most commonly affected items were the shareware utility TUGZip and the Realtek HD Audio Control Panel applet, although it seems only Windows XP suffered from this particular wrinkle.
Nevertheless, the patch has since been replaced with another, slightly rewritten hotfix that solves the incompatibility issues. It is this version that'll be pushed out today.
Four other critical fixes were also made available today:
- A vulnerability in Microsoft Content Management Server. This only affects people running Microsoft Content Management Server 2001 and 2002, so desktop users shouldn't be affected.
- A vulnerability in Universal Plug and Play. UPnP is a networking technology used to allow dynamic connections through firewalls that has been a source of contention in the past — it was not broadly used at first when it was rolled out in XP, but it has since become a lot more broadly supported. Note that Vista is not affected by this problem -- only XP SP2.
- A vulnerability in Microsoft Agent, which could be used to attack systems if they attempt to navigate to a specially designed URL. Systems running IE6 are most broadly affected by this problem, so any Windows systems running IE 7 -- including Vista -- are not affected.
- Vulnerabilities in Windows Client/Server Run-time Subsystem, a set of three issues that affect all versions of Windows, including Vista. These attacks could only be performed locally, but it's unlikely that it would be possible to do them unless you tricked the user into downloading and running an application designed to exploit the problems.
Microsoft published one other fix, rated "important" -- a kernel-level vulnerability that would allow a user running an application locally to elevate privileges and take control of the system. Again, this would be possible only with an application run on the desktop of a given system. Only the 32-bit versions of XP, Windows 2000 and Windows Server 2003 are affected. Vista and the 64-bit editions of Windows are not affected.