Monday, April 02, 2007

The Cursor Zero-Day Bug

"Let's be careful out there...."

Microsoft Corp. will patch the increasingly dangerous Windows animated cursor vulnerability tomorrow, a week early, a spokesman of the company's security team said yesterday.

The announcement followed a weekend of escalating warnings from security organizations and reports from China's Internet Security Response Team (CISRT) of a worm in the wild using the unpatched vulnerability. Symantec Corp. and other antivirus companies confirmed the existence of the Fubalca worm yesterday.

Over the weekend, a number of events showed the speed with which attackers were moving. First, exploit source code was publicly posted on a security mailing list, then McAfee Inc. said it had seen at least one spam run that linked to the exploit, and finally, Websense Inc. claimed that it had spotted more than 100 malicious sites spreading the exploit, a tenfold increase over the day before.

The Chinese ought to know: the bug was tracked to a couple of servers located in PRC.

...This weekend, Ken Dunham, director of VeriSign Inc.'s iDefense rapid-response team, said, "We are in the eye of the storm. Spam run-type attacks pose significant danger to enterprises as the workweek resumes. Popularization of the exploit is under way amongst multiple hackers, and it's trivial to use and modify.

"This is undoubtedly a serious issue that will persist for many months if not years, attacking vulnerable computers," said Dunham.

The MS repair should roll out tomorrow.

Symptoms of the bug: endless crash/restart.

No comments: