ALARM Group ALERT - click for a description of ALARM, The Computing Alert System
Alert Number: 040207-01
Alert Date: 04/02/07
Alert Title: Out-of-sequence patch possible for .ani vulnerability
Update-to:
033007-02 "UAlbany blocking .ani file extensions"
033007-01 "Microsoft Animated Cursor vulnerability"
OS/Platform/Application:
Microsoft Windows Vista
Microsoft Windows XP (including Service Pack 2, 64-Bit and Itanium-based systems)
Microsoft Windows Server 2003 (including SP1, SP2 x64, and Itanium-based Systems)
Microsoft Windows 2000 Service Pack 4
Category: ALERT
Severity: N/A
Attention: System Administrators, Desktop Support Personnel, Microsoft Windows users |
Summary: According to an entry in the Microsoft Security Response Center Blog, Microsoft has been working on a patch for the .ani handling vulnerability and (tentatively) intends to release it on Tuesday, April 3 2007. This release will be ahead of the standard "patch Tuesday" (2nd Tuesday per month) schedule. Microsoft has also updated its original security advisory 935423 to reflect vulnerabilities now identified in Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2.
Activity related to the .ani vulnerability has been on the rise since the issue was brought to public attention last week. The number of malicious emails/SPAM and compromised sites hosting exploit code have increased to such an extent that the SANS INFOCon level (an important barometer for the state of malicious activity on the Internet) was raised from "Green" to "Yellow" on Sunday, March 31.
Recommended Actions: Windows system administrators, helpdesk personnel, and home/UA users are encouraged to apply the .ani patch as soon as it is released by Microsoft. It is important to keep in mind that the current blocking of .ani file types put into place at UA on 3/30/07 ONLY affects email messages and does NOT protect users from being exploited while visiting malicious websites, etc. A listing of new developments, timelines, etc is presented below to help sysadmins and users better understand the nature of the vulnerability, its implications, and potential workarounds/mitigation strategies.
ITS Actions: N/A (this is an update).
Resources:
Microsoft Security Advisory 935423 (UPDATED):
http://www.microsoft.com/technet/security/advisory/935423.mspx
Microsoft Security Response Center Blog (mentions progress on patch):
http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx
Microsoft Security Bulletin Advance Notification:
http://www.microsoft.com/technet/security/bulletin/advance.mspx
SANS diary entry (explains INFOCon change from green to yellow):
http://isc.sans.org/diary.html?storyid=2542
Websense blog entry (provides timeline of exploit):
http://www.websense.com/securitylabs/blog/blog.php?BlogID=117
