Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Plans Emergency Update to Fix .ANI Bug

Posted by Hemos on from the must-fix-problem dept.

A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."

13 of 109 comments (clear)

  1. I'd comment if... by foxpaws · · Score: 5, Funny

    I'd comment if I could hit the "submit" button with this darned cursor....

    --
    Well, my days of not taking you seriously are certainly coming to a middle. -Firefly
  2. Get rid of patch Tuesday by Frogmanalien · · Score: 5, Insightful

    Doesn't this just make Patch Tuesday more and more irrelevant- that's at least twice (in my memory) that they have had to release a patch "out-of-cycle". I don't give a monkey about cycles, I just want security patches deployed when they have been tested and are available! Big corporates should be using WSUS to manage patching so there's really no excuse for it catch people off guard in the business world, and I'm sure that most consumers think the same as me- fix my computer, and fix it now!

    --
    The only thing that saves us from the bureaucracy is its inefficiency (Eugene McCarthy)
  3. Re:I'm glad ... by morgan_greywolf · · Score: 4, Funny

    that ANI will be ok.


    Not to worry. He later hooks up with a certain senator, becomes a dark sith lord, and eventually becomes the right-hand man of the ruler of the known galaxy. It's only later when his son comes around to finding him that he gets killed.

    Oh, wait...

    --
    My blog
  4. Perhaps M$ should.... by 8127972 · · Score: 4, Informative

    ... Just release patches when they are ready as opposed to releasing them in groups on "patch Tuesday" as there seem to be an increasing number of zero-day exploits out in the wild. Consider that it took M$ forever to close the zero-day exploits in Office even though there were exploits in the wild and they even warned users about them which IIRC was a highly unusual step for them.

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  5. ANI Vuln Known Since December by halfloaded · · Score: 5, Insightful
    I am sure that MS will play this off as them being friendly and proactive by releasing a patch out of cycle. However, they have known about this vuln since December 2006. From the MS Security Response Center Blog:

    [...] this issue was first brought to [Microsoft] in late December 2006 and we've been working on our investigation and a security update since then.
    Wow! Thanks Microsoft! It seems that if a small group like ZERT can release a patch in a couple days, a company with purse strings like MS should be able to release a supported patch in less than four months!
  6. It's more serious than just "blinking". by Opportunist · · Score: 5, Interesting

    It's a buffer overflow that allows you to execute arbitrary code. Much like the WMF exploit a year ago. But more serious. I have a sample here that opens a program just by browsing (with the explorer) into the directory that contains it.

    Nasty sh.t. Even downloading and wanting to dissect it with some disassembler is already enough to set it off, the moment you use the open dialog of your dis.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Microsoft's security gnomes by MillionthMonkey · · Score: 4, Insightful

    Microsoft's security gnomes have been working round the clock to produce and test a fix and explains the rationale for Redmond's unusual (but far from unprecedented) decision to publish an out-of-sequence fix.
    Dear Microsoft,
    Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
    People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old.
  8. Re:possible workaround by _xeno_ · · Score: 4, Interesting

    Yes, but not quite the way you say - you'd want to override the cursor on all elements.

    The CSS override would be fairly simple:

    * { cursor: text !important; }
    /* The next rule returns links to being the little hand cursor: */
    a { cursor: pointer !important; }

    That overrides the cursor on all elements. The !important is important - the user-specified stylesheet is by default overridden by local pages. However, pages can't override !important rules in the user stylesheet.

    However, I have not checked to make sure that using that stylesheet will actually prevent IE from downloading the cursor. For all I know it will still attempt to download the cursor anyway and still be vulnerable.

    --
    You are in a maze of twisty little relative jumps, all alike.
  9. Where do you want to go today? by 192939495969798999 · · Score: 4, Funny

    To Windows Update, same as every day!

    --
    stuff |
  10. It *DOES* download it anyway by _xeno_ · · Score: 4, Informative

    Well, I've had the chance to test it now. Internet Explorer (well, version 6, at least) in fact does download the ANI file anyway even when it's been overridden. I'm guessing it in fact downloads all related CSS resources even if they're never used.

    Unfortunately I can't test if IE is actually vulnerable with the stylesheet in place because I'm behind a firewall that prevents me from getting any of the proof-of-concept files. So if someone else wants to test it, let me know.

    --
    You are in a maze of twisty little relative jumps, all alike.
  11. Dear Customer.. by Savage-Rabbit · · Score: 5, Funny

    Dear Microsoft,
    Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
    People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old. Dear Customer,
    Unfortunately a hoard of deranged Mac users has invaded the Microsoft Development Center. They seized the security gnome's cave and their slashdot troll is currently blocking the entrance. Unfortunately, at the time this happened, we had just successfully repelled a massive frontal assault on our development center by a hoard of torch and pitchfork wielding penguins and as a result we were to low on throwing chairs to repel the second assault. We are sorry if this causes you any inconvenience but until the next consignment of hand made throwing chairs arrives from Italy allowing Mr Ballmer to lead us in a fresh asssault to retake the security gnome's cave we will be unable to help you with your problem. Please accept this conciliatory bucket of Microsoft® Fried Penguin drumsticks and a bottle of Microsoft Windows Vista® Kool-Aid free of charge as compensation for any inconvenience this may have caused you.

    Regards

    The Microsoft Support Team.
    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
  12. At last! by Farmer+Tim · · Score: 4, Funny

    MS plans emergency update to fix blinking cursor bug.

    Now all they need to do is fix the blinking Active X bugs, the blinking default open ports, the blinking UAC, and all the other blinking problems.

    Pardon my language...

    --
    Blank until /. makes another boneheaded UI decision.
  13. Re:Impacted browsers by TheNetAvenger · · Score: 4, Informative

    Yes it is true that the vulnerbility is limited on Vista since IE runs with lower permissions than the user and cannot harm anything that IE cannot touch, and IE cannot touch hardly anything in Vista.

    Also where in the heck do you get that GUI runs in kernel space? You seriously need to read up a bit on NT, as the Win32 subsystem itself doesn't even get to run in the kernel, let alone the GUI attached to it.

    You are probably confusing video drivers that were moved to the kernel level for game performance in NT4, Win2k and WinXP, but have been moved back to User space in Vista due to a new way to harness the same level of kernel level driver performance without pushing the drivers into the kernel. (Which is actually quite clever technology if anyone is a OS Kernel nerd.)