Microsoft will be releasing a critical security update tomorrow (via Windows Update) to patch what is being referred to as the “Windows animated cursor” vulnerability. It almost sounds hard to believe that an exploit can occur from something as simple as a mouse cursor, but as CNet points out it is definitely possible:
There’s a new Microsoft Windows vulnerability caused by an unspecified error in the way Windows 2000, XP, and Vista handles animated cursors. Animated cursors allow a mouse pointer to appear animated on a Web site. The feature is often designated by the .ani suffix, but attacks for this vulnerability are not constrained by this file type so simply blocking .ani files won’t necessarily protect a PC. Successful exploitation can result in memory corruption when processing cursors, animated cursors, and icons.
Most of you probably won’t have to worry though, because a large percentage of our visitors are using either Opera or Firefox as their browser. This vulnerability only applies to Internet Explorer 6 or 7 on Windows 2000, XP, 2003, and Vista. However, if you’re using IE 7 on Vista and you have the User Account Control (UAC) enabled then you are also fine. When you have UAC enabled it will force IE 7 to run in “protected mode” which is helpful at preventing unwanted attacks such as this one.
Microsoft learned about the vulnerability back in December 2006, but the attacks didn’t start appearing until the middle of last week. The severity of this is what prompted Microsoft to push out the patch even sooner:
This update was previously scheduled for release as part of the April monthly release on April 10, 2007. Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10.
While it is unfortunate that this vulnerability even exists, I guess it does demonstrate two things:
- Internet Explorer should not be used by casual computer users because they are the ones who are most likely to get taken advantage of.
- The User Account Control in Vista may actually be more beneficial than I thought. I used to keep it disabled, but as of about two-weeks ago I re-enabled it and I’m actually surprised that it hasn’t annoyed me. I’m confident that I can recognize a suspicious website or file when I see one, but the attacks are getting so advanced these days that I don’t want to take any chances.
Image Source: University of Texas