Microsoft is releasing an off-cycle patch Tuesday for the .ANI vulnerability that saw an escalating number of threats appearing over the weekend. F-Secure noted that the first worm using the exploit was discovered roaming the Internet on Sunday. "This vulnerability is really tempting for the bad guys. It's easy to modify the exploit, and it can be launched via Web or e-mail fairly easily," said Mikko Hypponen, chief research officer at F-Secure. Websense Security Labs reported that researchers there now are monitoring more than 100 Web sites that are spreading the .ANI zero-day exploit. "Currently, the majority of the attacks appear to be downloading and installing generic password-stealing code. Most sites are hosted in China. Interestingly, the most popular domain space being used is .com," Websense reported on its blog.
The .ANI vulnerability lies in the way Windows handles malformed animated cursor files and could enable a hacker to remotely take control of an infected system. The bug affects all the recent Windows releases and Internet Explorer is the main attack vector for the exploits. "In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability, view a specially crafted e-mail message, or open a specially crafted e-mail attachment sent to them by an attacker," Adrian Stone, a Microsoft researcher, wrote in a blog. The Internet Storm Center is advising users that unofficial patches that are currently available should be removed when Microsoft releases its own patch.
"From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of proof-of-concept code. In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday, April 3, 2007," Christopher Budd, security program manager at Microsoft's Security Response Center, wrote in a blog Sunday. Budd noted that a delay is still possible if an issue is found at the last minute.
News source: InformationWeek