Security Update: Microsoft Issues Critical Vista Patches

Posted by accountingweb on 291 printer friendly

Just before Easter, Microsoft broke from its usual security alert program to issue a bulletin and patches for a vulnerability that could allow malformed Windows animated cursor files to give hackers remote control over infected PCs. A second critical alert was issued as part of the normal reporting routine on April 10.

Microsoft security bulletin MS07-17 addresses a "zero day" vulnerability, so called because attacks have already taken place that exploit the weakness - including, according to some reports, the website of the Dolphin Stadium in Miami, which hosted this year's Super Bowl.

The vulnerability affects every currently supported version of Windows, including Vista, and is based on the way that Windows handles .ANI animated cursor files. If a user downloads an infected file from a malicious website or opens an email attachment, a remote hacker could potentially take control of the user's PC. In a McAfee Avert Labs blog, researcher Craig Schmugar videoed the crash-reboot loop that paralyzed his Vista PC after downloading an infected .ANI file.

The ANI exploit was first discovered by security company Determina in December 2006, and the company warned that in certain circumstances Mozilla Firefox can be exploited in the same way as Internet Explorer.

Stewart Twynham of Bawden Quinn pointed out that the lastest zero day patch will be embarrassing for Microsoft is that the exploited routine actually appears twice within Windows, but only one was patched in December. "It's a bit like realizing the locks on your car are of bad design, then going to the trouble of replacing the driver's side but forgetting about the passenger side," he said.

Update Security Bulletin
A second critical security alert affecting Windows Vista emerged in Microsoft's more traditional second Tuesday bulletin on 10 April. Security bulletin MS07-021 includes details of a security hole in the way the Windows Client/Server Run-time Subsystem (CSRSS) handles error messages that could lay the operating system open to remote code execution. As well as Vista, the critical vulnerability affects Windows XP, Windows Server 2003 and Windows 2000 Server.

Windows users are strongly encouraged to download the relevant update patches. Instructions are included in the Microsoft bulletins.

Tags 
Excel
Watchdog
Technology

Voice of the Editor

What would you do if one of your clients won the lottery? We asked several accountants to weigh in with their advice for the lucky Powerball winner, and the tips we received are useful for anyone who receives a windfall, whether it's a lottery win, an inheritance, a big bonus on the job, or a killing in the stock market.
Read more
Gail Perry, CPA
Publisher/Editor-in-Chief, AccountingWEB
editor@accountingweb.com
ADVERTISEMENT

This Week on AccountingWEB

CPAs Mira Finé, Scott Hitchcock, Rob Keasal, Kathy Scorcio, and Ken Travis offer ten pieces of financial advice for the newest Powerball winner.
Hang Bower of BDO USA and Dan Black of Ernst & Young share their perspectives on why their firms made the Best Places to Work for Recent Grads 2013 list.
Herbein + Company, Inc. firm members talked with AccountingWEB about their year-round employee wellness program.
Bill Walter of Gross, Mendelsohn & Associates and Harold Gaar of TravisWolff LLP weigh in on mobile technology use while employees are at work.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT