MS Plans Emergency Update to Fix .ANI Bug

A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."

Get rid of patch Tuesday

[Frogmanalien]

Doesn't this just make Patch Tuesday more and more irrelevant- that's at least twice (in my memory) that they have had to release a patch "out-of-cycle". I don't give a monkey about cycles, I just want security patches deployed when they have been tested and are available! Big corporates should be using WSUS to manage patching so there's really no excuse for it catch people off guard in the business world, and I'm sure that most consumers think the same as me- fix my computer, and fix it now!

Re:Get rid of patch Tuesday

WSUS doesn't get you out of the huge testing cycle large corps have to do to make sure new patches don't break any of their many custom in-house-built-apps (as well as purchased apps) before they deploy them. The testing is still easier and less time consuming to do in batches. Rolling out the patches with WSUS is the easy part of the deal. Big corps don't give a monkey about some yahoo on /. who doesn't understand what their process is before rolling out patches. They specifically asked MS to do patch tuesday, knowing WSUS was available. What they do on their networks is much different than what you do in your room in your parent's basement.

Re:Get rid of patch Tuesday

They usually have firewalls, anti-virus and anti-malware technologies in place so that updating quarterly isn't a big deal for the most part.

Wrong. They think it's not a big deal. But it is. It has been shown, without any surprise to security-conscious people, that there were bots and spamming-bots at several Fortune 500 companies. No matter how many anti-virus and firewall you've got, you're not detecting root-exploit hiding in Windows' kernel and communicating by hiding into seemingly regular http/https trafic.

Then of course for some people the very simple need for "anti-virus and anti-malware" [sic] to be installed on every single machine is a big deal... But go explain that to armies of click-monkeys-admin who know nothing but MS's crap...

And that is the real big deal: monkeys who don't know any better thinking "there are anti-viruses and firewalls on my network, so it's not a big deal".

--
Microsoft is not the answer. Microsoft is the question. And the answer is "no".

Re:Get rid of patch Tuesday

[rbanffy]

As a friend of mine once said, "you pay peanuts, you buy monkeys".

There is little question a Windows administrator costs less than an experienced unix'er (a monkey can push a couple buttons and create a new user, but using adduser takes at least two working neurons), but the real question is if you want to trust your company's information to somewhat trained monkeys.

ANI Vuln Known Since December

[halfloaded]

I am sure that MS will play this off as them being friendly and proactive by releasing a patch out of cycle. However, they have known about this vuln since December 2006. From the MS Security Response Center Blog:

[...] this issue was first brought to [Microsoft] in late December 2006 and we've been working on our investigation and a security update since then.

Wow! Thanks Microsoft! It seems that if a small group like ZERT can release a patch in a couple days, a company with purse strings like MS should be able to release a supported patch in less than four months!

Microsoft's security gnomes

[MillionthMonkey]

Microsoft's security gnomes have been working round the clock to produce and test a fix and explains the rationale for Redmond's unusual (but far from unprecedented) decision to publish an out-of-sequence fix.

Dear Microsoft,
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old.

Why all this planning and press releasing

[jhfry]

Give us the patch already... I mean hell... they are telling us when it will be released... which means they have written it an tested it to some degree already.

They are probably using this few days to figure out how they can spin the whole issue to make them look good!

I don't know why I even care... this bug doesn't effect me in the least.

Even more proof

[unborracho]

That publishing security vulnerabilities on the public internet will get the issue resolved faster than simply privately notifying the company responsible for making the fix.

WOW

[blankaBrew]

Is this the WOW that M$ is peddling?