Volume 4, Number 13 -- April 4, 2007

Microsoft Patches Animated Cursor Flaw in Windows

Published: April 4, 2007

by Alex Woodie

Microsoft yesterday issued a rare "out of cycle" patch that fixes the serious Animated Cursor vulnerability, as well as six other flaws in Windows. Attack code for the Animated Cursor flaw, which affects all current versions of Windows, including Vista, has been distributed widely across the Internet, leading to the formation of a chain of malicious Web sites and spam e-mails that, if visited, can turn full control of your PC over to attackers.

You may have noticed that your mouse's cursor looks different when you visit certain Web pages. This is the result of controls, called .ANI files, that Microsoft has included in Windows that enables programmers to customize their cursors with animations or icons, such as an hourglass or a trailing cursor. However, unbeknownst to most Windows users, Microsoft's implementation of the .ANI controls was flawed with a stack buffer overflow vulnerability, and somebody discovered how to exploit it to gain control of affected systems.

Reports of attacks first started rolling in last Wednesday. Software security firm McAfee was the first to spot the attacks, which were being executed through a network of malicious Web sites and maliciously crafted HTML e-mails that gave hackers full control over systems.

By Thursday, Microsoft had seen enough. On that day, the company first posted a security advisory confirming that it was aware of the problem and that it was working hard to develop and test a patch. While Microsoft had been aware of the flaw since December, the attacks spurred the company to kick it into high gear and finish the patch, which it did yesterday as part of Microsoft Security Bulletin MS07-017--a week before the next regularly scheduled Patch Tuesday.

It's unclear how many systems were compromised through the Animated Cursor flaw. Microsoft, which typically downplays security problems, says it was aware only of "very limited" attacks utilizing the vulnerability. By the accounts of others, however, the Animated Cursor flaw was a pretty big deal, and exemplified the changing nature of the security game.

Sensors from several organizations' intrusion prevention systems (IPS) indicated attacks were initiated from groups in the U.S., Brazil, China, and Eastern Europe. Those factions likely paid to obtain exploit code for the Animated Cursor, which they used to install a range of malicious software, including adware and keylogger software used to steal identity-related information, according to Amol Sarwate, manager of Qualys' Vulnerability Research Lab.

In the old days, the hackers who discovered vulnerabilities would write viruses or other malware that exploited that vulnerability, Sarwate says. "Now it's a black market. You don't exploit it. You sell it to people who want to spam you or install things on your computer," he says.

The Animated Cursor Flaw also drew out another nemesis of Microsoft: the Zeroday Emergency Response Team, which on Monday released a patch that addressed the vulnerability. However, ZERT's influence was not expected to be long-lasted, in light of Microsoft Security Bulletin MS07-017.

Microsoft Security Bulletin MS07-017 actually fixes seven problems. Besides the Animated Cursor Flaw, other flaws fixed with this patch include the GDI Local Elevation of Privilege vulnerability, the WMF Denial of Service vulnerability, the EMF Elevation of Privilege vulnerability, the GDI Invalid Windows Size Elevation of Privilege vulnerability, the GDI Incorrect Parameter Elevation of Privilege vulnerability, and the Font Rasterizer Local Elevation of Privilege vulnerability. Of these flaws, the Animated Cursor Flaw Remote Code Execution vulnerability is by far the most serious. Microsoft says it has found attack code for the GDI Local Elevation of Privilege vulnerability on the Internet, although no attacks have been reported.

The flaws affect all current versions of Windows, including Windows 2000 Service Pack 4 (SP4, Windows XP SP2, Windows XP Professional X64 Edition, Windows Server 2003 and its SP1 and SP2 variants, Windows Server 2003 for Itanium-based Systems and its SP1 and SP2 variants, Windows Server 2003 X64 Edition and its SP2 variant, and Windows Vista and the X64 Edition of Vista.

The Animated Cursor Flaw is the first real vulnerability to hit Windows Vista since it was released to businesses four months ago, and released to consumers just over two months ago. However, considering that the Animated Cursor Flaw gets to Vista by exploiting legacy Windows code, don't be surprised to find additional problems in Vista related to legacy baggage, Sarwate says.

"This opens doors to hackers," he says. "It says if old pieces were used in Vista, to exploit this vulnerability, there has to be some other code from old operating systems in Vista, which opens doors to other vulnerabilities and other ways for attackers to try out other things. It definitely gives incentives for hackers to check out older vulnerabilities from older products" to see if they have an effect on Vista.

Despite the large, out-of-cycle patch issued yesterday, Microsoft is on track to deliver another round of patches next week as part of its regularly scheduled Patch Tuesday security lifecycle. Microsoft skipped Patch Tuesday for March.


Microsoft Skips Patch Tuesday for March

                     Post this story to
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

HP, IBM and Sun Server Deals via RSS

                                                  · Subscribe to our Specials via RSS
                                                  · Up to 80% off manufacturer's list price
                                                  · Multi-million dollar inventory

We Buy & Sell new and remarketed servers,
upgrades, peripherals and parts.

HP Proliant, IBM xSeries, IBM pSeries, RS6000,
HP Integrity, Sun Microsystems, Cisco, more…

View or Subscribe to:
Special Offers on Servers and Upgrades

Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Vision Solutions:  Get facts on managed availability and business continuity to eliminate downtime
Wolf Computer Consulting:  Reliable service and affordable rates for business computing needs
COMMON:  Join us at the Spring 2007 conference, April 29 - May 3, in Anaheim, California


The Four Hundred
Next Up on the System i5: Native GNU g++ and IBM XL C/C++

WDSc V7.0: Componentization of Advanced Edition Is Not Enough

Gartner Says It Was "All Over" the Virtualization Effect

Kronos To Be Taken Private Through a $1.8 Billion Buyout

The Linux Beacon
Intel Shows Off Future Penryn and Nehalem Chip Designs

Cornerstones Laid for the Linux Foundation

Gartner Says It Was "All Over" the Virtualization Effect

Revenue Up, But Profits Take a Hit at Red Hat in Q4

Four Hundred Stuff
CYBRA Finds the 'Edge' for Native i5/OS RFID Software

Lakeview Adds More Autonomics to MIMIX

Thoughts on the Coexistence of Full Test Automation and Manual Testing

Help/Systems Boosts Graphics with Robot/NETWORK V10

Big Iron
IBM Replies To Platform: No More Compatibles

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Two Views on the WDSc Snippets View, Part 1

The Case of the Missing Outline (View)

Admin Alert: Five Things that Kill Backups (and What to Do About Them)

System i PTF Guide
March 24, 2007: Volume 9, Number 12

March 17, 2007: Volume 9, Number 11

March 10, 2007: Volume 9, Number 10

March 3, 2007: Volume 9, Number 9

February 24, 2007: Volume 9, Number 8

February 17, 2007: Volume 9, Number 7

The Unix Guardian
Sun Breaks Sparc Unit Free Again

Gartner Says It Was "All Over" the Virtualization Effect

Oracle Sues SAP Over 'Corporate Theft on a Grand Scale'

As I See It: Workplace Heaven

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar


Storage Guardian
Vibrant Technologies
Lakeview Technology

Microsoft Loosens the Licensing Screws for Vista Virtualization

Microsoft Patches Animated Cursor Flaw in Windows

XenSource Extends and Improves Windows Support with 3.2 Release

Intel Shows Off Future Penryn and Nehalem Chip Designs

But Wait, There's More:

eEye Debuts Free Security Software for Windows . . . Computer Makers Tout Ways to Reduce Carbon Dioxide Emissions, Save Money . . . Complacency Will Get You Killed, Security Researcher Says . . . Dell Listens to Reason, Will Adopt Linux on Its PCs and Laptops . . . HP Does an Athlon-Opteron Tower Server for SMBs, Too . . . Gartner Says It Was "All Over" the Virtualization Effect . . .

The Windows Observer


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement