Microsoft has released an update that fixes seven separate Windows vulnerabilities, all of which were rated "critical" by the software giant. As expected, the release patches the way Windows processes .ani Animated Cursor files – Microsoft decided to break its patch cycle because attackers were finding more ways to exploit the flaw in its Windows operating system. Microsoft was first notified of the flaw in December 2006 by security vendor Determina. "I have no idea why they didn't do this earlier," said Nand Mulchandani, Determina's vice president of marketing.
Windows users are strongly encouraged to install the patch because the .ani flaw can be used to exploit computers running virtually any version of Windows, including Vista, even if they are running non-Microsoft browsers like Firefox and Opera, Mulchandani said. "We have more than 400 different URLs identified and related to attacks, and multiple e-mails have been sent out that direct people back there. We have proof that organized groups are now launching attacks," said Ken Dunham, director of malicious code intelligence with iDefense. Exploit code for the flaw has now been added to the widely used Metasploit hacking tool, and there are automated malicious Web site generation tools available, he added.