The flaw is often called the ANI vulnerability, as it relates to animated cursor files, which normally have the .ani suffix.
Exploits are relatively widespread, so applying the patch is an urgent matter. Security companies have detected several different attacks from hundreds of sites.
For example, security vendor Websense says it has found one particular attack has been installed more than 450 compromised web sites, resulting in "tens of thousands of pages with exploit code links on them" to silently install a generic password stealer when people visit the pages.
Yet Microsoft security program manager Christopher Budd wrote in the Microsoft Security Response Center Blog "We have been monitoring the situation throughout and our indications, and those of our MSRA partners, show there is a threat for attacks against this vulnerability to increase although we haven’t seen anything widespread. Based on customer feedback and our teams’ ability to complete testing in an expedited manner by working around the clock, we’ve gone ahead and released this update early to help better protect customers from this threat."
The update patches other, less severe vulnerabilities in Windows' Graphics Device Interface (GDI) code. Most allow privilege elevation and are rated "important"; one allows a malformed WMF file to freeze or possibly restart a system.
Tuesday's patch applies to Windows 2000, XP, Server 2003 and Vista. It can be downloaded from Microsoft's web site (via this page) or installed through Software Update.
One problem with the patch has already been identified - it conflicts with the Realtek HD Audio control panel. A hotfix is available from Microsoft.
The regular Patch Tuesday is scheduled for next week and Microsoft still expects to release updates on that day, though no details have been released yet.
Microsoft patches ANI vulnerability
A "critical" out-of cycle security update released by Microsoft on Tuesday fixes the animated cursor vulnerability that potentially allowed attackers to take control of a system.
RECRUITMENT & RETENTION REPORT 2013
HIRE OR FIRE? BUY OR BUILD2013 is well underway and Australian companies need to know whether they should invest in IT skills training or pay a premium for the people they need.
If you want to know which choices are being made in your sector, what skills are hard to find, which sectors intend to hire or fire and where the IT spend is going, this free report is must have.
Stephen Withers
Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences, a PhD in Industrial and Business Studies, and is a senior member of the Australian Computer Society.
