Microsoft announced on Sunday that it will release an out-of-band patch to fix a vulnerability in Windows Animated Cursor Handling (ANI) that some security experts are calling one of the most significant flaws in years.The ANI bug leaves open to attack any webpage email or content that can load an animated cursor, allowing attackers to run arbitrary code on users’ systems. Over the weekend ANI exploits snowballed, wrecking the weekend for many security professionals responding to attacks.
On Friday, Secunia reported the vulnerability as “extremely critical” and eEye Digital released a third-party patch to service those anxious to protect systems before Microsoft releases its sanctioned fix.
According to Ken Dunham of iDefense Labs, researchers have found over 150 malware samples utilising the vulnerability in the wild as of early Sunday morning. He reported that a worm, a spam run and generation kits exploiting the flaw now exist in the wild. On Saturday Websense reported over 100 ANI exploitation sites in the wild.
“This is undoubtedly a serious issue that will persist for many months if not years, attacking vulnerable computers,” Dunham says. “iDefense believes the new ANI exploit will be a long term persistent threat, one of the most significant we've seen in the past three years.”
Dunham reported that many of the ANI attack kits were based in China, with a focus on the theft of role-playing game credentials to sell on the black market. While most exploits currently impact only Windows XP SP2, he noted that the damage will likely spread.
“It's trivial to modify the exploit to work on other builds of operating systems,” he said, “iDefense has also found that it's trivial to modify the exploit to work through a Windows Explorer vector.”
Microsoft plans to release the patch this Tuesday, a full week before its regularly-scheduled patch release, in response to widespread exploits.
“Microsoft originally planned to release the update on Tuesday, April 10, 2007 as part of its regular monthly release of security bulletins,” a Microsoft spokesperson said. “However, Microsoft is aware of the existence of a public attack utilising the vulnerability. Since testing has been completed earlier than anticipated, Microsoft has released the update ahead of schedule to help protect customers.”
The patch may not come quickly enough for bleary-eyed security professionals who have been working overtime to mitigate risks.
“Happy April Fool's Day, no joking,” said Ken Dunham of iDefense Labs in an advisory on Sunday, “it will be very busy today and as we head into the work week.”