3rd Party Patches Critical Windows Flaw
Not content to wait for Microsoft to remedy the issue, independent security firm eEye released a temporary patch for a critical flaw affecting Windows that can lead to a crash-restart-crash loop. But Microsoft does not recommend such third-party patches.
The potential exploit is trigger by a buffer overflow in an animated cursor file. A similar flaw was discovered in early 2005, but did not apparently affect Windows XP Service Pack 2. The new issue, discovered by McAfee's Avert labs does seem to impact XP SP2 and Windows Vista, as well as Windows 2000 SP4 and versions of Windows Server 2003 from the initial release through to SP1.
Avert Labs' video of the incident, posted to YouTube, shows a Vista system wherein the test file apparently trying to load the custom animated cursor. When the operating system detects a crash, it first tries to save vital data prior to a restart sequence - one of Vista's newer features. It then informs the user that Windows Explorer has crashed.
eEye says its temporary patch prevents the flaw from being exploited, but does not correct the underlying problem.
"Almost a year ago to the day, we released one of the first third-party patches, proactively providing Windows users temporary protection against a serious zero-day vulnerability; we are doing it yet again," said eEye co-founder Marc Maiffret. "Unlike last year's JScript Vulnerability, there are no immediately effective means of mitigation for this zero-day vulnerability. As a result, we encourage all Windows users to take advantage of our free patch until other means of protection become available."
Microsoft, for its part, said Thursday it has activated its Software Security Incident Response Process, and issued a security advisory on the matter. One method of attack can occur by embedding an malicious animated cursor into an e-mail, the company said.
"The most potent attack method used by this vulnerability is conducted by embedding a malicious .ANI file within an HTML web page. Doing so allows the vulnerability to be exploited with minimal user interaction by simply coaxing a user to follow a hyperlink and visit a malicious web site," reported eEye. "Other exploit vectors exist including Microsoft Office applications since they also rely on the same .ANI processing code, making email delivery also a potent threat by using Microsoft Office attachments."
In a later update, Microsoft acknowledged that Outlook Express users are vulnerable, even if they disable HTML e-mail. Outlook 2007 users are protected, as are Windows Mail users on Vista - as long as they do not reply or forward the malicious e-mail.
eEye's zero-day patch is available for download from the security firm's Web site. Microsoft has not yet said when it will issue a fix, although the next "Patch Tuesday" is slated for April 10. The company could choose to release an out-of-cycle update if warranted by the severity of the problem.