EEye publishes fix for Windows zero-day vulnerability

http://www.infoworld.com/article/07/03/30/HNeeyefixforwindow s_1.html


EEye publishes fix for Windows zero-day vulnerability
Unofficial temporary patch fixes a bug in the way Windows processes
Animated Cursor filesBy Robert McMillan, IDG News Service
March 30, 2007 Talkback E-mail Printer Friendly Reprints


With online criminals exploiting an unpatched flaw in Windows,
security vendor eEye Digital Security has come forward with an
unofficial fix for the problem.



The unofficial temporary patch, published early Friday, fixes a bug in
the way Windows processes Animated Cursor files, which are used to
create cartoon-like cursors in Windows. Security researchers at McAfee
first reported the bug on Wednesday evening, saying that it has been
used in Web-based attacks.

Microsoft has said that it will eventually fix the problem and it
generally recommends that users avoid this type of third-party fix for
its products. But in the past, similar patches from eEye and others
have been downloaded by tens of thousands of Windows users, unwilling
to wait for Microsoft's updates.

Microsoft's next set of security patches are due April 10, but the
software giant has not said whether or not that release will include a
fix for the Animated Cursor problem.

Security vendor Determina said it informed Microsoft of the problem in
December. "Microsoft fixed a closely related vulnerability with their
MS05-002 security update, but their fix was incomplete," Determina
warned on its Web site.

Several Web sites, including two hosted in China, are now serving
attack code that exploits the bug, but this flaw is particularly
worrisome because it also affects Microsoft's e-mail clients.

In a blog posting on Thursday, Microsoft Security Response Center
Program Manager Adrian Stone said that Outlook Express users are
vulnerable to the bug, even if they are reading their e-mail in plain
text.

Microsoft advises Outlook users to read mail in plain text format, but
says that Outlook 2007 users are protected even if they are not doing
this.

According to eEye Chief Technology Officer Marc Maiffret, Microsoft
should have caught the problem two years ago, when his company first
reported the bug that was patched in the MS05-002 update. "They fixed
the bug we discovered back in '05, but during their standard bug
report code audit, they missed an area... where identical code was
used, with an identical vulnerability," he said via instant message.
"It is hard to say how long people have been exploiting this in the
wild due to the similar nature of the bugs."

Microsoft representatives could not immediately be reached for
comment.