Microsoft Plans Out-of-Cycle Patch for Zero-Day Flaw
We still don't know all that much about the scope of the vulnerability in Microsoft's Windows Animated Cursor handling implementation, but -- based on Redmond's responsiveness thus far -- it seems like a doozy.
Microsoft has thrice updated its original security bulletin first released Thursday, and researchers at the Microsoft Security Response Center (MSRC) have updated the MSRC blog on several occasions, too.
The company now plans to release an out-of-cycle patch for the flaw tomorrow, although "it’s possible that we will find an issue that will force us to delay the release," wrote MSRC researcher Christopher Budd in a blog post yesterday.
The MSRC on Thursday confirmed the existence of "very limited attacks." By Saturday, however, Budd acknowledged that the number of attacks had escalated.
"From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of proof-of-concept code," Budd wrote.
The vulnerability affects all versions of Windows -- including Windows Vista, Microsoft confirms.
Redmond's regular Patch Tuesday festivities are scheduled for April 10. A number of factors -- escalated attacks, proof-of-concept code -- prompted Microsoft to release an out-of-order update. There are other concerns, too: The Associated Press reports, via security researcher McAfee, that a posting on a Chinese hacking forum indicates that additional hackers plan to start exploiting the vulnerability, too.
Elsewhere, the AP cites speculation, attributed to researchers at VeriSign Inc.'s Defense labs, that Chinese hackers plan to use the vulnerability to steal (and subsequently sell) information pertaining to the World of WarCraft video game.
Microsoft's patch, should it appear tomorrow, won't be any rush job, Budd promised. "I'm sure one question in people's minds is how we're able to release an update for this issue so quickly," he wrote. "[T]his issue was first brought to us in late December 2006 and we've been working on our investigation and a security update since then. This update was previously scheduled for release as part of the April monthly release [next week]. Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10."
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.