[gui-talk] Windows XP is also involved - Article: Microsoft to Fix Critical Vista Flaw Early

Steve Pattison srp at internode.on.net
Mon Apr 2 17:42:50 CDT 2007 

Microsoft to Fix Critical Vista Flaw Early
By Nate Mook,
BetaNews
April 2, 2007, 12:00 PM

Microsoft confirmed Sunday that it would not wait until April's 
"Patch Tuesday" to
release a fix correcting a critical flaw in Windows Animated Cursor 
Handling, which affects most supported versions of the company's 
operating systems. Instead, an update is coming Tuesday.

The exploit, which results in a crash-restart-crash loop, is 
triggered by a buffer overflow in an animated cursor file.  A similar 
flaw was discovered in early 2005, but did not apparently affect 
Windows XP Service Pack 2. The new issue, discovered by McAfee's 
Avert labs does impact XP SP2 and Windows Vista, as well as Windows 
2000 SP4 and Windows Server 2003.

Avert Labs' video of the incident, posted to YouTube, shows a Vista 
system wherein the test file apparently trying to load the custom 
animated cursor. When the operating system detects a crash, it first 
tries to save vital data prior to a restart sequence - one of Vista's 
newer features. It then informs the user that Windows Explorer has 
crashed.  But in trying to restart Explorer, the restarting crashes 
itself, sending Vista into
a tailspin from which the only escape appears to be the off button.

Security research firm eEye released its own third-party "temporary 
fix" for the problem Friday, but Microsoft recommended strongly that 
users wait for an official patch.

"From our ongoing monitoring of the situation, we can say that over 
this weekend attacks against this vulnerability have increased 
somewhat. Additionally, we are aware of public disclosure of 
proof-of-concept code," Microsoft security researcher Christopher 
Budd wrote in a blog posting.

"In light of these points, and based on customer feedback, we have 
been working around the clock to test this update and are currently 
planning to release the security update that addresses this issue on 
Tuesday April 3, 2007."

Microsoft said it was notified of the flaw in December 2006, and has 
been working on a fix since. Coincidentally, the company claims the 
update was already scheduled for April 10, so moving it up one week 
is not that difficult of a task - a point ostensibly made to 
emphasize that customers should not expect similar turnaround on 
security patches in the future.

"Due to the increased risk to customers from these latest attacks, we 
were able to expedite our testing to ensure an update is ready for 
broad distribution sooner than April 10," Budd said, noting that, " 
it's possible that we will find an issue that will force us to delay 
the release."


Regards Steve
Email:  srp at internode.on.net
Skype:  steve1963
MSN Messenger:  internetuser383 at hotmail.com

More information about the gui-talk mailing list