Security Update: Microsoft Issues Critical Vista Patches

Just before Easter, Microsoft broke from its usual security alert program to issue a bulletin and patches for a vulnerability that could allow malformed Windows animated cursor files to give hackers remote control over infected PCs. A second critical alert was issued as part of the normal reporting routine on April 10.

Microsoft security bulletin MS07-17 addresses a "zero day" vulnerability, so called because attacks have already taken place that exploit the weakness - including, according to some reports, the website of the Dolphin Stadium in Miami, which hosted this year's Super Bowl.

The vulnerability affects every currently supported version of Windows, including Vista, and is based on the way that Windows handles .ANI animated cursor files. If a user downloads an infected file from a malicious website or opens an email attachment, a remote hacker could potentially take control of the user's PC. In a McAfee Avert Labs blog, researcher Craig Schmugar videoed the crash-reboot loop that paralyzed his Vista PC after downloading an infected .ANI file.

The ANI exploit was first discovered by security company Determina in December 2006, and the company warned that in certain circumstances Mozilla Firefox can be exploited in the same way as Internet Explorer.

Stewart Twynham of Bawden Quinn pointed out that the lastest zero day patch will be embarrassing for Microsoft is that the exploited routine actually appears twice within Windows, but only one was patched in December. "It's a bit like realizing the locks on your car are of bad design, then going to the trouble of replacing the driver's side but forgetting about the passenger side," he said.

Update Security Bulletin
A second critical security alert affecting Windows Vista emerged in Microsoft's more traditional second Tuesday bulletin on 10 April. Security bulletin MS07-021 includes details of a security hole in the way the Windows Client/Server Run-time Subsystem (CSRSS) handles error messages that could lay the operating system open to remote code execution. As well as Vista, the critical vulnerability affects Windows XP, Windows Server 2003 and Windows 2000 Server.

Windows users are strongly encouraged to download the relevant update patches. Instructions are included in the Microsoft bulletins.

You may like these other stories...

Many senior US tax professionals believe that a streamlined audit process will be the top benefit resulting from the IRS Transfer Pricing Audit Roadmap, a new toolkit organized around a notional 24-month audit timeline,...
Tax accounting to be simplified for money-market fundsThe US Securities and Exchange Commission (SEC) voted 3-2 on Wednesday for sweeping changes to institutional money-market funds, Emily Chasan, senior editor of...
By Cathy Stopyra and Todd SimmensUnderpayment interest, refund interest, and penalties charged to businesses are just a few of the considerations the IRS calculates when determining taxation for a given company. Though...

Upcoming CPE Webinars

Jul 31
In this session Excel expert David Ringstrom helps beginners get up to speed in Microsoft Excel. However, even experienced Excel users will learn some new tricks, particularly when David discusses under-utilized aspects of Excel.
Aug 5
This webcast will focus on accounting and disclosure policies for various types of consolidations and business combinations.
Aug 20
In this session we'll review best practices for how to generate interest in your firm’s services.