There are two reasons for this: The ANI patch itself was flawed and the digital underground continues to churn out a ton of exploits. The flaws patched this week will no doubt be the target of new exploits. But attacks against the ANI flaw have been ongoing, keeping it high on everyone's radar screen.
The blogs of San Diego-based Websense Inc. and Santa Clara, Calif.-based McAfee Inc. were still chock full of ANI attack analysis this week.
The Websense Security blog declared that more than 2,000 unique Web sites are currently hosting exploit code or have been hijacked and turned into drones that direct browsers to machines hosting the malcode.
"There are two main attacks that comprise the majority of these sites," Websense said. One set of attacks appears to have been created by groups in the Asia-Pacific Region.
In these cases, Websense said, the bad guys have compromised hundreds of machines and placed IFRAMEs back to the main servers that host the exploit code. In most cases the payload and motivation of these attacks is to gather credentials for online games such as Lineage, a very popular online game in Asia.
"The second set of attacks started just a couple days ago [and] appear to be from a group in Eastern Europe," the company continued. "This group has been placing exploit code on sites for many years now and has a very resilient infrastructure. They have used WMF, VML, and several other exploits in there routines previously. As of now they have also added the ANI attacks to their arsenal."
In this case, attackers are more likely to install rootkits and other crimeware in hopes of stealing personal information from the user. In the past, Websense said, these attackers have installed fake antispyware software on targeted machines.
McAfee has its own laundry list of ANI exploits in its Avert Labs blog.
The company said it has been tracking a series of malformed image files that prey on the ANI flaw. This includes ANI headers that have been modified in a way that creates extra noise to throw traditional content filtering and antivirus products off course.
"All of these malformed image files are rendered by Internet Explorer and can cause remote code execution or memory corruption in unpatched Windows systems in our tests," McAfee said. "Many of these exploits … created using freely-available toolkits … still go undetected by a majority of antivirus products tested."
Just as ambiguity and variations in specifications and implementation can lead to bugs and security issues, they can also be exploited by malware authors to circumvent conventional detection, McAfee said, adding, "This presents a new challenge to security products that scan image files for malicious content using basic methods that ignore the context of the threat."
While some security organizations continue to fill their blogs with new attack data, others are still wondering why it took so long for Microsoft to patch a flaw it learned about in December. Atlanta, Ga.-based Errata Security offered an opinion in its blog, tracing the slow patching process back to Microsoft's need to investigate problems in third-party programs. In this case, the software giant had a RealTek problem to investigate.
"This bug happened because of something wrong in RealTek's code, not Microsoft's code, Errata said. "Few people realize this but when Microsoft tests a patch prior to shipping, they also test popular third-party applications. They find conflicts due to other people's code. When they encounter such an issue, they change their patch until the third-party bug no longer appears." In some cases, Errata said, Microsoft changed the Windows specification just to fix some weirdness in a popular application.
"Microsoft doesn't like to talk about this because they don't want to insult other people, but this sort of thing happens a lot," the blog continued. "What appears to be Microsoft's fault is actually Microsoft covering for other vendors."
One thing that would shift attention away from ANI would be a new attack against one of the more recently-publicized flaws.
Eric Schultz, chief security architect at Shavlik Technologies LLC, in Roseville, Minn., is convinced the flaws fixed in Microsoft bulletins MS07-018 and MS07-019 Tuesday have the fixings for a major attack; that they are the most wormable holes he has seen in some time.
"Both are server-side attacks that could be remotely exploited over the Internet without the user doing anything," he said. "Every XP box on the planet is vulnerable to the Plug and Play flaw. Attackers will be very excited about these."
Here's hoping he's wrong.