Microsoft Patches .ANI Flaw, But More Attacks Expected

Microsoft released a security update to fix seven vulnerabilities, but security researchers expect the .ANI attacks to continue.
Even though Microsoft released a patch on Tuesday for the critical .ANI vulnerability, security researchers say the exploit attacks are expected to get much worse before they begin to get better.

The patch, which was released a week ahead of Microsoft's monthly Patch Tuesday schedule, fixes the way Windows handles malformed animated cursor files. Microsoft had planned on releasing the patch on schedule next week, but pushed it out a week early because of the wave of exploits that are showing up.

The security update doesn't just patch the .ANI vulnerability, but fixes a total of seven vulnerabilities, ranging from a WMF denial-of-service bug to three elevation-of-privilege bugs.

Dan Hubbard, a senior director of research at Websense, said in an interview that analysts there have found more than 700 Web sites that are spreading the .ANI exploit. Researchers have found an exploit being sent out in a spam campaign, and automated root kits are popping up online to let even unsavvy hackers build their own exploit malware.

All of this malicious activity isn't going to die down because Microsoft issued a patch, said Craig Schmugar, a threat researcher with McAfee, in an interview. "Getting the patch out early definitely was the right call to make," he said. "There's been a big uptick in exploit activity. It'll get worse. The release of a patch is not the end of the issue. Now that root kits are posted publicly, more and more hackers will find them and this will just get worse."

He added that this could remain an ongoing issue as researchers frequently find working exploits that are a year or two old.

In the 24 hours between Monday and Tuesday mornings, the .ANI exploits became the most detected piece of code coming out of Asia, Schmugar said. Globally, it went from outside of the top 20 to the No. 6 position. He added that he "has no doubt" it will become the most utilized exploit around the world in a week or two.

Even though Microsoft released a patch, it will take some time for consumers and enterprises to install it, and some will take a lot more time than others, said Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, in an interview. That, he noted, will give the hackers plenty of time to continue their assault.

Both Microsoft and the SANS Institute are recommending that users download the patch immediately.

The .ANI vulnerability lies in the way Windows handles animated cursor files and could enable a hacker to remotely take control of an infected system. The bug affects all the recent Windows releases, including its new Vista operating system. Internet Explorer is the main attack vector for the exploits.

Users are being infected after visiting a malicious Web page that has embedded malware designed to take advantage of the flaw. They also can be infected if they open a specially crafted e-mail message or if they open a malicious e-mail attachment sent by a hacker.

Microsoft was alerted to the vulnerability on Dec. 20 by Alexander Sotirov of Determina Security Research. Mark Miller, director of the Microsoft Security Response Center, said in an interview Monday that they began working on a fix immediately. The patch, though, did not come out before exploits began showing up in a flurry of malicious code last week.

Miller said the company needed the three-plus months to work on building and testing a good patch, adding that slightly less than 100 Microsoft technicians have been working on the fix since last week.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing