We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Critical Windows bug targets surfers

Vista and XP attacks reported, Firefox users safe

Microsoft yesterday revealed that Windows - Windows Vista included - contains an unpatched vulnerability. The flaw, which Microsoft describes as 'critical' can be used by attackers to usurp Windows PCs when users surf to malicious sites. There have been reports of in-the-wild exploits but, according to one expert, users running Firefox 2.0 are safe from drive-by attacks.

In a security advisory posted yesterday, the MSRC (Microsoft Security Response) team acknowledged a bug in Windows' Animated Cursor. This component allows developers to show short animations at the mouse-pointer's location.

eEye fix released for Windows zero-day flaw

The MSRC warned that hackers might disguise malicious animated cursors with an extension other than the usual '.ani' extension. The SANS Institute said it had received reports of in-the-wild exploits using files renamed to .jpg.

"An attacker could try to exploit the vulnerability by creating a specially crafted web page," the Microsoft advisory warned.

"An attacker could create a specially crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message or opening a specially crafted email attachment, the attacker could cause the affected system to execute code."

Antivirus vendor McAfee first noted the drive-by vulnerability late on Wednesday, when Craig Schmugar, the virus research manager at the company's Avert Labs, blogged about tests that showed an up-to-date copy of Windows XP SP2 was vulnerable via Internet Explorer 6.0 and 7.0. According to Schmugar, users running Firefox 2.0 appear to be safe from drive-by exploits using the vulnerability.

Although Microsoft listed Windows Vista among the affected editions - which include Windows 2000, XP and Server 2003 - it also said that on Vista, IE 7.0 in its default configuration would protect users. "Customers who are using Internet Explorer 7.0 on Windows Vista are protected from currently known web-based attacks due to Internet Explorer 7.0 protected mode," the MSRC said. However, protected mode, while on by default, can be disabled by the user.

Simply by dragging a malicious .ani file to the Vista desktop, Schmugar was able to send the operating system over the edge and into an endless "crash-restart" loop. He has posted a video of the Vista crash on the Avert Labs site, as well as on YouTube.

In response to the new threat, security companies immediately issued their own alerts and raised overall Internet risk rankings. Symantec, for example, pushed its ThreatCon to 2.

The MRSC downplayed the threat by claiming only "very limited" attacks were in progress and saying they were "not widespread" at the moment. "[But] we are monitoring the issue and will update the advisory as new information becomes available," Adrian Stone, an MSRC program manager, said on the group's blog.

Microsoft said it would patch the bug in a security update, but wouldn't commit to a when. "[We] will release un update for this issue at the conclusion of our investigation," a spokeswoman said today.

The next scheduled update cycle for the Redmond, Wash. developer is 10 April. Until then, Microsoft's advice to users remained basic: "Do not visit untrusted websites or view unsolicited email."


IDG UK Sites

Samsung Galaxy S6 launch as it happened: Galaxy S6 launch video and live blog - watch again as...

IDG UK Sites

5 things we hate about MWC: What it's like to be a journalist at a technology trade show

IDG UK Sites

Interview: Lauren Currie aims to help design students bridge skills gap

IDG UK Sites

12in Retina MacBook Air release date rumours: new MacBook Air to have fingerprint ID, could launch...