Microsoft First Notified Of .ANI Bug In December - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

Microsoft First Notified Of .ANI Bug In December

An exploit for the zero-day vulnerability hit the wild last week, more than three months after Microsoft learned of the bug. Microsoft says it took more than three months to craft the patch.

Microsoft was first alerted to the .ANI vulnerability back in December, but a patch for it didn't come before exploits began hitting the wild last week.

Mark Miller, director of the Microsoft Security Response Center, said in an interview Monday with InformationWeek that the company needed the three-plus months to work on building and testing a good patch. Since the exploit hit last week, he said slightly less than 100 Microsoft technicians have been working "around the clock" to ready the patch.

A security researcher at Determina, a security company based in Redwood City, Calif., reported the vulnerability to Microsoft on Dec. 20, according to Miller. Working with Determina, Microsoft researchers, including program manager Adrian Stone, immediately began investigating the bug. A patch for it was going to be released April 10, as part of Microsoft's monthly Patch Tuesday update, but the fix release has been pushed up a week to deal with the growing number of malicious sites and other threats that are popping up to take advantage of it.

Miller stands behind Microsoft's response process and said it has taken the company more than three months to come up with a patch for the bug because it's simply a long, complicated process.

"It just took the time it took to produce this update," he said. "When you look at the time it takes to review the security issues, create a fix, and then test, it does take some time. ... Where it is in Windows, it is a core area. The time line is longer because you have to deal with this core area."

Miller would not say exactly where the flawed code is because he doesn't want that information out before customers can patch their systems.

The .ANI vulnerability lies in the way Windows handles malformed animated cursor files and could enable a hacker to remotely take control of an infected system. The bug affects all the recent Windows releases, including its highly touted Vista operating system. Internet Explorer is the main attack vector for the exploits.

Users are being infected after visiting a malicious Web page that has embedded malware designed to take advantage of the flaw. They also can be infected if they open a specially crafted e-mail message or if they open a malicious e-mail attachment sent by a hacker. Websense, a security company, reported that it has found more than 100 malicious Web sites that are exploiting the vulnerability.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll