Microsoft to Fix Critical Vista Flaw Early
Microsoft confirmed Sunday that it would not wait until April's "Patch Tuesday" to release a fix correcting a critical flaw in Windows Animated Cursor Handling, which affects most supported versions of the company's operating systems. Instead, an update is coming Tuesday.
The exploit, which results in a crash-restart-crash loop, is triggered by a buffer overflow in an animated cursor file. A similar flaw was discovered in early 2005, but did not apparently affect Windows XP Service Pack 2. The new issue, discovered by McAfee's Avert labs does impact XP SP2 and Windows Vista, as well as Windows 2000 SP4 and Windows Server 2003.
Avert Labs' video of the incident, posted to YouTube, shows a Vista system wherein the test file apparently trying to load the custom animated cursor. When the operating system detects a crash, it first tries to save vital data prior to a restart sequence - one of Vista's newer features. It then informs the user that Windows Explorer has crashed.
But in trying to restart Explorer, the restarting crashes itself, sending Vista into a tailspin from which the only escape appears to be the off button.
Security research firm eEye released its own third-party "temporary fix" for the problem Friday, but Microsoft recommended strongly that users wait for an official patch.
"From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of proof-of-concept code," Microsoft security researcher Christopher Budd wrote in a blog posting.
"In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday April 3, 2007."
Microsoft said it was notified of the flaw in December 2006, and has been working on a fix since. Coincidentally, the company claims the update was already scheduled for April 10, so moving it up one week is not that difficult of a task - a point ostensibly made to emphasize that customers should not expect similar turnaround on security patches in the future.
"Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10," Budd said, noting that, " it’s possible that we will find an issue that will force us to delay the release."