Microsoft has released an out-of-cycle fix - one week before its scheduled Patch Tuesday release - for numerous vulnerabilities in Graphics Device Interface (GDI) that could allow remote code execution.The fix, which resolves an issue in the way Windows handles ANI files, affects Microsoft software for Windows 2000, XP, Server 2003 and Vista operating systems.
Researchers from a list of vendors and organisations have reported attacks exploiting the flaw this week, many traced back to China.
By Monday, Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said more than 150 malware samples exploiting the flaw were in the wild. Websense reported more than 100 exploitation sites by Saturday morning.
Microsoft revealed Monday in an advance notification that it would release a lone bulletin for Windows with a maximum severity rating of "critical." The update will require a restart and will be detectable using the Microsoft Baseline Security Analyser.
A Microsoft spokesperson confirmed earlier this week that MS07-017 will address a vulnerability in Windows ANI.
The spokesperson said attacks and customer impact were limited, although Microsoft was aware of the existence of a public attack on the flaw.
Meanwhile, eEye Digital Security, which released a third-party patch for the ANI flaw earlier in the week, updated its fix on Monday. A hacker using the alias Jamikazu posted zero-day exploit code that bypasses eEye’s patch to the Milw0rm site on Sunday.
ZERT (the Zeroday Emergency Readiness Team) also released an unauthorised fix for the flaw this week.
The out-of-cycle patch is the first such fix since Microsoft released a patch last September for a flaw in the way Internet Explorer handles vector markup language.
Redmond also released an early fix for a flaw in Windows metafile – a vulnerability often compared to the ANI flaw - in late 2005.