[NYTr] Microshit Rushes Out Latest Security Fix for Critical Flaw
 
Date: Tue, 3 Apr 2007 05:07:51 -0500 (CDT)


Via NY Transfer News Collective  *  All the News that Doesn't Fit
 
Washington Post Blog - Apr 2, 2007
http://blog.washingtonpost.com/securityfix/2007/04/microsoft_to_issue_emergency_s.html?nav=rss_blog

Microsoft Rushes Out a Security Update

by Brian Krebs

Microsoft Corp. yesterday said it plans to issue a software update on
Tuesday to fix a dangerous security flaw in its Windows operating system --
a flaw that cyber criminals are actively targeting to gain access to
computers across the Internet. The update will come a week in advance of
Microsoft's official patch release schedule, which typically falls on the
second Tuesday of each month.

Microsoft's urgency was no doubt spurred in part by unofficial software
patches provided by third-party security software vendors, including eEye
Digital Security, Determina, and the Zero-Day Emergency Response Team
(ZERT), a coalition of security experts focused on providing quick fixes
for unpatched software flaws that pose serious risk to computer users.

For the past week, criminals been exploiting the vulnerability, which stems
from a flaw in the way that Windows renders animated cursor files (to
conceptualize this built-in capability, think of cute mouse arrows that
leave a trail behind when you move them). By convincing a Windows user to
open a specially crafted e-mail or to visit a Web site that is currently
hosting the exploit, attackers can take complete control over almost any
Windows computer in use today.

Microsoft deserves credit for pushing this patch out quickly. The SANS
Internet Storm Center, which monitors malicious hacking trends, moved to
Internet Threat Level Yellow amid reports that several blasts of junk
e-mail were observed exploiting the vulnerability, and that an expanding
number of malicious Web sites were hosting the exploit. This was one of a
half-dozen times SANS has moved to the heightened threat level in the past
two years.

On Saturday, I delivered a keynote speech at the SANS 2007 annual
conference in San Diego, a talk that looked at the myriad sources of and
contributing factors to the global cyber crime problem we are faced with
today. One of my slides suggested that Microsoft adopt a more
consumer-friendly approach to addressing extremely high-threat problems
like this.

I noted that Microsoft's monthly "Patch Tuesday" cycle has traditionally
been fashioned around concerns raised by businesses. Specifically,
Microsoft has said that the most time-consuming portion of its patch
process lies in testing the fix to ensure that it does not interfere with
the proper functioning of third-party software applications that many
companies use.

Clearly, these criteria are of little concern to the millions of home users
and small/home office customers who do not typically deploy the types of
enterprise software most commonly impaired by insufficiently tested
Microsoft patches. Still, it is a tad unsettling that Microsoft has known
about this flaw for some time now. Software security testing company
Determina said last week that it originally alerted Microsoft to the flaw
in December, well in advance of recent evidence that bad guys were
exploiting it for commercial gain.

For a variety of reasons, Security Fix cannot endorse any of these
third-party updates at this time. But here's hoping Microsoft's
out-of-cycle patch release is a sign of new thinking at the company.

                              ***

Tech News World - Apr 2, 2007
http://www.technewsworld.com/story/56649.html

Microsoft Hurries Fix for Cursor Flaw

By Tim Gray
TechNewsWorld

Redmond will release a software patch that fixes a vulnerability affecting
Windows' animated mouse cursor graphics. Microsoft's security advisory last
week warned customers that the vulnerability was allowing hackers to break
into computers and install malicious software.

Microsoft  announced the early release of a patch that will eliminate an
increasingly dangerous Windows flaw from users' PCs -- a full week before
the company's scheduled monthly "Patch Tuesday" cycle.

The software giant's move to fix the vulnerability on Tuesday was provoked
by an increasing number of hackers who stepped up attacks on PCs running
various versions of Windows on Friday, a day after Microsoft first
disclosed the vulnerability.

The patch will address the vulnerability in Windows Animated Cursor
Handling, a component of Windows, according to Microsoft.

Malicious Code

Redmond released a security advisory last week, warning customers that a
vulnerability in Windows ANI files was allowing hackers to break into
computers and install malicious software.

The files are used to change the mouse cursor into the familiar hourglass
icon -- or another animated option -- while a program is busy.

Microsoft originally planned to release the update next week as part of its
regular monthly release of security bulletins; however, the company became
aware of the existence of a public attack utilizing the vulnerability and
decided to act. Testing the patch was completed earlier than expected, said
the company.

Zero Day

While the zero-day attack is designed to exploit PCs running Windows Vista,
the mouse cursor vulnerability has also been found on Windows 2000 Service
Pack 4, Windows XP Service Pack 2 and some versions of Windows Server 2003,
according to the company.

Microsoft's monitoring of attack data continues to indicate limited impact
on Windows users, the company said. However, the firm is actively
monitoring the situation to keep customers up to date.

Highly Critical

Security experts at McAfee Latest News about McAfee spotted a post on a
Chinese message board on Wednesday, which indicated that hackers were
planning to exploit the vulnerability, Craig Schmugar, a virus researcher
at McAfee Avert Labs, told TechNewsWorld.

McAfee has rated the exploit "highly critical" and suggests that users
should download the patch as soon as Microsoft releases it, otherwise they
could end up with a malicious program on their PC after a browsing the Web
and not know it, Schmugar said.

The vulnerability does not suggest that Windows Vista has a fundamental
security flaw, added Schmugar.

"These programs are designed by humans and there are going to be flaws and
vulnerabilities," he said. "[Vista] has additional mitigation factors some
others, such as XP, do not." 

Copyright ) 1998-2007 ECT News Network, Inc. All Rights Reserved.
       
                                *
================================================================
.NY Transfer News Collective    *    A Service of Blythe Systems
.          Since 1985 - Information for the Rest of Us         .
.339 Lafayette St., New York, NY 10012     http://www.blythe.org
.List Archives:   https://olm.blythe-systems.com/pipermail/nytr/
.Subscribe: https://olm.blythe-systems.com/mailman/listinfo/nytr
================================================================