Microsoft issued a patch for the already-exploited Windows animated cursor vulnerability with a critical out-of-cycle security update that also fixed six other flaws.
The MS07-017 security bulletin, released a week ahead of the regularly scheduled April 10 patch date, fixes the ANI vulnerability that first surfaced last week when Microsoft acknowledged ongoing attacks. Since then, the bug has been tagged as “very dangerous” by security experts, has been distributed by hundreds of malicious Web sites, and was the focus of multiple spam campaigns designed to dupe users into visiting criminal Web sites.
On Sunday, Microsoft promised it would push out an early patch. Tuesday’s update is only the third since January 2005 to be posted outside the normal monthly schedule.
Microsoft based the early release decision on its own prognostications. “We have been monitoring the situation throughout and our indications, and those of our MSRA [Microsoft Security Response Alliance] partners, show there is a threat for attacks against this vulnerability to increase, although we haven’t seen anything widespread,” Christopher Budd, program manager at Microsoft Security Response Center (MSRC), said in a blog entry Tuesday.
Users can obtain the MS07-017 patches via Windows’ Automatic Update, from the Microsoft Update service or through enterprise tools such as Windows Server Update Services (WSUS) and Software Update Services (SUS).