I know what you are thinking and the answer is “No, Patch Tuesday didn’t come early this month. You have more patches to look forward to next month.” Let’s see if I can sum up what led up to this out of band patch: Microsoft has been working on this animated cursor issue since December of last year having been informed privately of the vulnerability by Determina. Apparently, the same hole was found separately by party or parties unknown and subsequently used in a limited attack on at least one Symantec customer. Symantec informed Microsoft on March 28, 2007, which prompted Microsoft to issue the advisory you received the next day on Thursday. After that, a proof-of-concept code sample was released publicly and the incident of attacks using the vulnerability increased causing Microsoft to schedule this out of band patch.
Logging in Depth – Secure, Comply, Save – with EventTracker Complete Event Management
EventTracker software improves network security with centralized event log monitoring, security events correlation, host based intrusion detection and security beyond firewall. It provides unattended enterprise-wide event log management for millions of events a day.
This patch actually addresses 7 different vulnerabilities but the one to focus on is “Windows Animated Cursor Remote Code Execution” which allows remote, arbitrary code to run on the targeted system if the attacker can get the targeted user to visit a specially crafted web page or email. This applies to viewing web pages, previewing or opening email messages, opening email attachments. Blocking .ani files doesn’t protect you. Using IE7 in protected mode and Outlook 2007 configured with the default viewer setting (Word) blocks the most common attack vectors.
This patch is pretty much a Workstation and end-user accessible Terminal Services issue as long as your admins refrain from web browsing and emailing from servers.
No time to decode event logs? Get served with the events that matter, in real time!
GFI EventsManager is the solution for centralized event log management & reporting. Boasting the most advanced event processing & filtering rules in the industry, this tool acts as an early-warning system for failures & alerts on possible security breaches. Get to know what's really happening on your network.
Because of the rise in attacks and the lack of any comprehensive workarounds, I suggest deploying this patch to workstations ASAP with abbreviated testing. Make sure you monitor KB article 925902 for any “known issues” (aka problems) with this patch. Currently there is only one such issue that affects computers with the Realtek HD Audio Control Panel and there is a hotfix for that issue.
Best wishes with this patch and hang in there until next week…
Learn the Windows Security Log in 6 hours from your computer. Click here for Randy’s Security Log Secrets Interactive Edition training course.
