The company is telling customers to apply the patch for what it's calling a critical flaw, released as Security Bulletin MS07-017, immediately.
MS07-017 addresses a vulnerability in the way Windows handles Animated Cursor (.ani) files. The vulnerability could allow an attacker to take over a PC remotely. From the company's statement:
"This vulnerability is a remote code execution vulnerability that exists in the way Windows handles cursor, animated cursor and icon formats. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
This is only one of three updates that have been released outside Microsoft's normal patching schedule since January 2006, all released due to threats to customers. The company originally planned to release the update on Tuesday, April 10, as part of its regular monthly patch release. Public attacks exploiting the vulnerability lit a fire under the software maker, however, as reports have come in of spam touting naked pictures of "Britiney Speers" that have delivered instead links to compromised sites, where the exploit files have been injected to victims' systems. Websense also last night detected a widespread ANI attack coming from the Asia/Pacific region.
"Based on our analysis of this issue and customer feedback releasing an update outside of our normal release cycle was the right thing to do," Microsoft's statement says. "As a result, teams worked around the clock to complete testing early so we could deploy the update ahead of schedule to help protect customers."
Teams may have worked around the clock to get out the patch, but, evidently, they started burning the midnight oil only after McAfee went public with the vulnerability last week. In fact, Microsoft said in its MSRC blog that security researcher Determina alerted the company to the vulnerability on Dec. 20.
Users of Microsoft's Automatic Updates will receive the update automatically. The patch can also be manually downloaded by visiting Microsoft Update or Windows Update. More information is at http://www.microsoft.com/athome/security.
Microsoft will also be releasing additional security updates on Tuesday, April 10 as part of its regularly scheduled release of security updates. The two patch releases in April makes up for March, in which there were none. Customers can find out more information about next week's release at: http://www.microsoft.com/technet/security/bulletin/advance.mspx.
Below are the affected Windows versions. If a Windows version isn't on this list, it's either not affected or no longer supported.
"Microsoft Windows 2000 SP 4 Microsoft Windows XP SP 2Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP Professional x64 Edition SP 2Microsoft Windows Server 2003, Microsoft Windows Server 2003 SP 1, and Microsoft Windows Server 2003 SP 2Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems, and Microsoft Windows Server 2003 with SP2 for Itanium-based SystemsMicrosoft Windows Server 2003 x64 Edition and Microsoft Windows Server 2003 x64 Edition SP 2Windows VistaWindows Vista x64 Edition"