Thursday, April 5, 2007

Microsoft Patches Windows Cursor Flaw

As expected, Microsoft has released security update MS07-017, which patches a critical vulnerability in Windows Animated Cursor Handling. The company says it was working on the fix since December, and has posted it early due to reports of attacks.

The problem is similar to one discovered in early 2005, which did not apparently affect Windows XP Service Pack 2. The new vulnerability came to light in December, but an exploit taking advantage of the flaw surfaced only last week.
McAfee's Avert labs noted that the problem impacted XP SP2 and Windows Vista, as well as Windows 2000 SP4 and Windows Server 2003. Microsoft's Security Response Center jumped into action and confirmed the vulnerability shortly thereafter, promising a swift resolution. A video of the incident shows a Vista system wherein the test file apparently trying to load the custom animated cursor.
When the operating system detects a crash, it first tries to save vital data prior to a restart sequence - one of Vista's newer features. It then informs the user that Windows Explorer has crashed. But in trying to restart Explorer, the restarting crashes itself, sending Vista into a tailspin from which the only escape appears to be the off button. Although MS07-017 has been released separate from its usual "Patch Tuesday" cycle, Microsoft claims the update was already scheduled for April 10, so moving it up one week is not that difficult of a task - a point ostensibly made to emphasize that customers should not expect similar turnaround on security patches in the future.
Download: Microsoft Windows 2000 Service Pack 4 — Download the update
Microsoft Windows XP Service Pack 2 — Download the update
Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP Professional x64 Edition Service Pack 2 — Download the update
Microsoft Windows Server 2003, Microsoft Windows Server 2003 Service Pack 1, and Microsoft Windows Server 2003 Service Pack 2 — Download the update
Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems, and Microsoft Windows Server 2003 with SP2 for Itanium-based Systems — Download the update
Microsoft Windows Server 2003 x64 Edition and Microsoft Windows Server 2003 x64 Edition Service Pack 2 — Download the update
Windows Vista — Download the update
Windows Vista x64 Edition — Download the update
source: microsoft.com

No comments: