Microsoft Plans Emergency Patch For .ANI Bug

patch animated cursor file (.ANI) vulnerability

"From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat," wrote Christopher Budd, security program manager at Microsoft's Security Response Center, in a Monday blog post.

The public disclosure of proof-of-concept code and customer feedback has spurred Microsoft researchers to work "around the clock" to test the update, Budd wrote.

Security researchers rushed to offer their assessments on what appears to be most serious security vulnerability of 2007. Websense Security Labs said it's tracking more than 100 Web sites that are spreading the .ANI exploit, most of which are downloading and installing password-stealing code. Researchers from McAfee's Threat Center said they discovered a spam campaign that attempts to drive users to a Web site hosting exploit code.

Researchers from the Chinese Internet Security Response Team (CSIRT) said they've discovered a worm using the .ANI exploit that's spreading.

The worm, which mimics the behavior of the Win32.Fujacks worm, inserts malicious links into .HTML, .ASPX, .HTM, .PHP, .JSP, .ASP and .EXE files, directing users to sites hosting the .ANI exploit, according to a Monday CSIRT bulletin.

Microsoft had originally planned to patch the .ANI flaw as part of its April 10 monthly patch release, but the company was able to speed up the testing process and release a fix ahead of schedule, Budd wrote.

"Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10," Budd wrote.

However, he said it's possible that Microsoft could be forced to delay the release of the patch if the company encounters any unforeseen issues in testing the patch.