MS Plans Emergency Update to Fix .ANI Bug

A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."

I'd comment if...

[foxpaws]

I'd comment if I could hit the "submit" button with this darned cursor....

Get rid of patch Tuesday

[Frogmanalien]

Doesn't this just make Patch Tuesday more and more irrelevant- that's at least twice (in my memory) that they have had to release a patch "out-of-cycle". I don't give a monkey about cycles, I just want security patches deployed when they have been tested and are available! Big corporates should be using WSUS to manage patching so there's really no excuse for it catch people off guard in the business world, and I'm sure that most consumers think the same as me- fix my computer, and fix it now!

ANI Vuln Known Since December

[halfloaded]

I am sure that MS will play this off as them being friendly and proactive by releasing a patch out of cycle. However, they have known about this vuln since December 2006. From the MS Security Response Center Blog:

[...] this issue was first brought to [Microsoft] in late December 2006 and we've been working on our investigation and a security update since then.

Wow! Thanks Microsoft! It seems that if a small group like ZERT can release a patch in a couple days, a company with purse strings like MS should be able to release a supported patch in less than four months!

It's more serious than just "blinking".

[Opportunist]

It's a buffer overflow that allows you to execute arbitrary code. Much like the WMF exploit a year ago. But more serious. I have a sample here that opens a program just by browsing (with the explorer) into the directory that contains it.

Nasty sh.t. Even downloading and wanting to dissect it with some disassembler is already enough to set it off, the moment you use the open dialog of your dis.

Dear Customer..

[Savage-Rabbit]

Dear Microsoft,
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old. Dear Customer,
Unfortunately a hoard of deranged Mac users has invaded the Microsoft Development Center. They seized the security gnome's cave and their slashdot troll is currently blocking the entrance. Unfortunately, at the time this happened, we had just successfully repelled a massive frontal assault on our development center by a hoard of torch and pitchfork wielding penguins and as a result we were to low on throwing chairs to repel the second assault. We are sorry if this causes you any inconvenience but until the next consignment of hand made throwing chairs arrives from Italy allowing Mr Ballmer to lead us in a fresh asssault to retake the security gnome's cave we will be unable to help you with your problem. Please accept this conciliatory bucket of Microsoft® Fried Penguin drumsticks and a bottle of Microsoft Windows Vista® Kool-Aid free of charge as compensation for any inconvenience this may have caused you.

Regards

The Microsoft Support Team.