Microsoft has fired off an emergency patch to fix flaws in the Windows animated cursor that first surfaced last week.
The MS07-017 security bulletin, released a week ahead of the regularly scheduled April 10 patch date, fixes the ANI vulnerability that sprung up last week when Microsoft acknowledged ongoing attacks. The bug, tagged as “very dangerous" by security experts, has since been distributed by hundreds of malicious websites and was the focus of multiple spam campaigns designed to dupe users into visiting criminal websites.
The update is only the third since January 2005 to be posted outside the normal monthly schedule.
In a blog entry, Christopher Budd, programme manager at Microsoft Security Response Centre (MSRC), said the company had been, “monitoring the situation throughout”. He added: “There is a threat for attacks against this vulnerability to increase, although we haven't seen anything widespread”.
The security bulletin rates the ANI bug as critical – Microsoft's highest threat level in its four-step system – across all supported editions of Windows: 2000, XP SP2, Windows Server 2003 and Vista. The vulnerability marks the first critical Vista bug disclosed and patched since the operating system's January 30 release, and the first flaw in Vista's own code.
Six other vulnerabilities were patched in the update. Five were rated important – one step below critical – while the sixth was ranked even lower, as moderate. The half dozen fixes deal with a denial of service bug triggered by malicious Windows Metafile images; a vulnerability in Enhanced Metafile (EMF) image files that can elevate an attacker's privileges on a compromised computer, and a similar flaw in Windows' graphics rendering engine. Six of the seven flaws fixed allow hackers to hijack a PC.
Vista also is affected by the EMF vulnerability, said Microsoft, although it rated the threat as important, not critical.
Users can obtain the MS07-017 patches via Windows' Automatic Update, from the Microsoft Update service or through enterprise tools such as Windows Server Update Services (WSUS) and Software Update Services (SUS).