Microsoft Patches Windows Cursor Flaw
As expected, Microsoft has released security update MS07-017, which patches a critical vulnerability in Windows Animated Cursor Handling. The company says it was working on the fix since December, and has posted it early due to reports of attacks.
The problem is similar to one discovered in early 2005, which did not apparently affect Windows XP Service Pack 2. The new vulnerability came to light in December, but an exploit taking advantage of the flaw surfaced only last week.
McAfee's Avert labs noted that the problem impacted XP SP2 and Windows Vista, as well as Windows 2000 SP4 and Windows Server 2003. Microsoft's Security Response Center jumped into action and confirmed the vulnerability shortly thereafter, promising a swift resolution.
A video of the incident shows a Vista system wherein the test file apparently trying to load the custom animated cursor. When the operating system detects a crash, it first tries to save vital data prior to a restart sequence - one of Vista's newer features. It then informs the user that Windows Explorer has crashed.
But in trying to restart Explorer, the restarting crashes itself, sending Vista into a tailspin from which the only escape appears to be the off button.
Although MS07-017 has been released separate from its usual "Patch Tuesday" cycle, Microsoft claims the update was already scheduled for April 10, so moving it up one week is not that difficult of a task - a point ostensibly made to emphasize that customers should not expect similar turnaround on security patches in the future.
"Based on customer feedback and our teams’ ability to complete testing in an expedited manner by working around the clock, we’ve gone ahead and released this update early to help better protect customers from this threat," wrote Microsoft security researcher Christopher Budd in a blog post.
"We are encouraging customers to test and deploy this update as quickly as possible as well as ensure that you have the latest signatures and updates for your security products such as antivirus."
Budd added that Microsoft is not canceling its monthly security release scheduled for April 10, which the company will provide advance notification for on Thursday.