Security Update: Microsoft Issues Critical Vista Patches

Just before Easter, Microsoft broke from its usual security alert program to issue a bulletin and patches for a vulnerability that could allow malformed Windows animated cursor files to give hackers remote control over infected PCs. A second critical alert was issued as part of the normal reporting routine on April 10.

Microsoft security bulletin MS07-17 addresses a "zero day" vulnerability, so called because attacks have already taken place that exploit the weakness - including, according to some reports, the website of the Dolphin Stadium in Miami, which hosted this year's Super Bowl.

The vulnerability affects every currently supported version of Windows, including Vista, and is based on the way that Windows handles .ANI animated cursor files. If a user downloads an infected file from a malicious website or opens an email attachment, a remote hacker could potentially take control of the user's PC. In a McAfee Avert Labs blog, researcher Craig Schmugar videoed the crash-reboot loop that paralyzed his Vista PC after downloading an infected .ANI file.

The ANI exploit was first discovered by security company Determina in December 2006, and the company warned that in certain circumstances Mozilla Firefox can be exploited in the same way as Internet Explorer.

Stewart Twynham of Bawden Quinn pointed out that the lastest zero day patch will be embarrassing for Microsoft is that the exploited routine actually appears twice within Windows, but only one was patched in December. "It's a bit like realizing the locks on your car are of bad design, then going to the trouble of replacing the driver's side but forgetting about the passenger side," he said.

Update Security Bulletin
A second critical security alert affecting Windows Vista emerged in Microsoft's more traditional second Tuesday bulletin on 10 April. Security bulletin MS07-021 includes details of a security hole in the way the Windows Client/Server Run-time Subsystem (CSRSS) handles error messages that could lay the operating system open to remote code execution. As well as Vista, the critical vulnerability affects Windows XP, Windows Server 2003 and Windows 2000 Server.

Windows users are strongly encouraged to download the relevant update patches. Instructions are included in the Microsoft bulletins.

You may like these other stories...

Could the IRS disallow Ice Bucket Challenge charitable contributions?Unless you’ve been living under a rock, you’ve probably heard of – or participated in – the ALS Ice Bucket Challenge.I was...
As a general rule, a taxpayer can deduct the full amount of monetary contributions made to a qualified charitable organization, as long as certain substantiation requirements are met. These donations are typically made...
Hertz withdraws full-year forecast, cites accounting review, challengesRental car company Hertz Global Holdings Inc. said on Tuesday it is withdrawing its full-year financial forecast and expects 2014 results to be “...

Already a member? log in here.

Upcoming CPE Webinars

Aug 26
This webcast will include discussions of recently issued, commonly-applicable Accounting Standards Updates for non-public, non-governmental entities.
Aug 28
Excel spreadsheets are often akin to the American Wild West, where users can input anything they want into any worksheet cell. Excel's Data Validation feature allows you to restrict user inputs to selected choices, but there are many nuances to the feature that often trip users up.
Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.
Sep 11
This webcast will include discussions of commonly-applicable Clarified Auditing Standards for audits of non-public, non-governmental entities.