Just before Easter, Microsoft broke from its usual security alert program to issue a bulletin and patches for a vulnerability that could allow malformed Windows animated cursor files to give hackers remote control over infected PCs. A second critical alert was issued as part of the normal reporting routine on April 10.
Microsoft security bulletin MS07-17 addresses a "zero day" vulnerability, so called because attacks have already taken place that exploit the weakness - including, according to some reports, the website of the Dolphin Stadium in Miami, which hosted this year's Super Bowl.
The vulnerability affects every currently supported version of Windows, including Vista, and is based on the way that Windows handles .ANI animated cursor files. If a user downloads an infected file from a malicious website or opens an email attachment, a remote hacker could potentially take control of the user's PC. In a McAfee Avert Labs blog, researcher Craig Schmugar videoed the crash-reboot loop that paralyzed his Vista PC after downloading an infected .ANI file.
The ANI exploit was first discovered by security company Determina in December 2006, and the company warned that in certain circumstances Mozilla Firefox can be exploited in the same way as Internet Explorer.
Stewart Twynham of Bawden Quinn pointed out that the lastest zero day patch will be embarrassing for Microsoft is that the exploited routine actually appears twice within Windows, but only one was patched in December. "It's a bit like realizing the locks on your car are of bad design, then going to the trouble of replacing the driver's side but forgetting about the passenger side," he said.
Update Security Bulletin
A second critical security alert affecting Windows Vista emerged in Microsoft's more traditional second Tuesday bulletin on 10 April. Security bulletin MS07-021 includes details of a security hole in the way the Windows Client/Server Run-time Subsystem (CSRSS) handles error messages that could lay the operating system open to remote code execution. As well as Vista, the critical vulnerability affects Windows XP, Windows Server 2003 and Windows 2000 Server.
Windows users are strongly encouraged to download the relevant update patches. Instructions are included in the Microsoft bulletins.