Security Update: Microsoft Issues Critical Vista Patches

Just before Easter, Microsoft broke from its usual security alert program to issue a bulletin and patches for a vulnerability that could allow malformed Windows animated cursor files to give hackers remote control over infected PCs. A second critical alert was issued as part of the normal reporting routine on April 10.

Microsoft security bulletin MS07-17 addresses a "zero day" vulnerability, so called because attacks have already taken place that exploit the weakness - including, according to some reports, the website of the Dolphin Stadium in Miami, which hosted this year's Super Bowl.

The vulnerability affects every currently supported version of Windows, including Vista, and is based on the way that Windows handles .ANI animated cursor files. If a user downloads an infected file from a malicious website or opens an email attachment, a remote hacker could potentially take control of the user's PC. In a McAfee Avert Labs blog, researcher Craig Schmugar videoed the crash-reboot loop that paralyzed his Vista PC after downloading an infected .ANI file.

The ANI exploit was first discovered by security company Determina in December 2006, and the company warned that in certain circumstances Mozilla Firefox can be exploited in the same way as Internet Explorer.

Stewart Twynham of Bawden Quinn pointed out that the lastest zero day patch will be embarrassing for Microsoft is that the exploited routine actually appears twice within Windows, but only one was patched in December. "It's a bit like realizing the locks on your car are of bad design, then going to the trouble of replacing the driver's side but forgetting about the passenger side," he said.

Update Security Bulletin
A second critical security alert affecting Windows Vista emerged in Microsoft's more traditional second Tuesday bulletin on 10 April. Security bulletin MS07-021 includes details of a security hole in the way the Windows Client/Server Run-time Subsystem (CSRSS) handles error messages that could lay the operating system open to remote code execution. As well as Vista, the critical vulnerability affects Windows XP, Windows Server 2003 and Windows 2000 Server.

Windows users are strongly encouraged to download the relevant update patches. Instructions are included in the Microsoft bulletins.

You may like these other stories...

Washington D.C., our nation's capital, is the healthiest city in the country, according to a new report from USA Today. But now it's going to cost politicos on the Hill and Gen-Xers in Foggy Bottom a little extra to...
Credit Suisse says pension assets at risk unless court delays sentencingJohn Letzing of the Wall Street Journal reported on Wednesday that Credit Suisse Group AG says its management of billions of dollars in assets for...
Starting in January 2015, the IRS will limit the number of refunds that are electronically deposited into a single financial account or pre-paid debit card to three, as part of the agency’s effort to crack down on...

Upcoming CPE Webinars

Jul 16
Hand off work to others with finesse and success. Kristen Rampe, CPA will share how to ensure delegated work is properly handled from start to finish in this content-rich one hour webinar.
Jul 17
This webcast will cover the preparation of the statement of cash flows and focus on accounting and disclosure policies for other important issues described below.
Jul 23
We can’t deny a great divide exists between the expectations and workplace needs of Baby Boomers and Millennials. To create thriving organizational performance, we need to shift the way in which we groom future leaders.
Jul 24
In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the integrity of your spreadsheets, but reduce maintenance as well.