Microsoft Deals With Windows Bug, More On The Way

Microsoft has issued an out-of-band bulletin for a critical new vulnerability that stems from the way Windows handles animated cursor (.ani) files. Microsoft also confirmed that "very limited attacks" were being carried out using the flaw.

A remote attacker could create a specially rigged Web site or e-mail. By getting a user to either visit the Web site or open the e-mail, the attacker could then gain access to the affected machine with the user's level of privileges, according to a Microsoft advisory issued Thursday.

Nand Mulchandani, vice president of marketing and business development at Determina, a Redwood City, Calif.-based security vendor, said his firm reported the vulnerability to Microsoft in December. "This vulnerability has been sitting out there for four months," he said.

In the interest of ethical disclosure, Determina didn't initially release any details on the bug. However, now that the flaw is being exploited, Determina has decided to issue a third-party patch of its own, according to Mulchandani. "Our technology allows us to precisely target a vulnerability right down to the instruction level," he said.

Security experts said while this type of bug has been used by hackers in the past, the fact that it's so easy to exploit could enable it to wreak havoc on unsuspecting users. Secunia gave the flaw its highest rating of "extremely" critical, while Symantec Deepsight rated its severity at 8.3 on a 10 point scale.

"This bug isn't something new or different, but from a day zero perspective, it has been a while since we've had one that's this severe," said Marc Maiffret, co-founder and chief hacking officer at eEye Digital Security, Aliso Viejo, Calif.

Microsoft said it would fix the issue in either the next monthly patch release or with an out-of-band patch --" which the Redmond, Wash.-based vendor last did in September 2006 to fix a critical Vector Markup Language bug in Internet Explorer that was being actively exploited.

In the meantime, eEye has issued its own third party patch for the animated cursor vulnerability, a step the vendor has taken in the past to deal with Microsoft zero days, according to Maiffret.

"The patch stems from us being able to analyze and identify vulnerabilities. Rather than patching the source code, we're patching the binary itself," Maiffret said.

In the advisory, Microsoft also noted that users of Internet Explorer 7 on Windows Vista are protected from attacks using the vulnerability because of Internet Explorer 7.0's protected mode, which prevents user or system files and settings from being modified without the user's knowledge.

Meanwhile, in the recent tradition of security researchers staging month-long vulnerability campaigns, a group of security researchers announced Friday that they'll be staging a Week Of Vista Bugs starting next week.

The shadowy campaign says it will highlight new and undisclosed vulnerabilities in the latest versions of Vista, and was "launched as a challenge by an unofficial team of security experts," according to a post on Securinfos.info, a security research Web site.

The post said no more details will be provided prior to the start of the campaign, which kicks off this Monday.

This article was updated Friday afternoon to add commentary from Determina.