Microsoft has confirmed the threat.

There are already reports of this zero-day vulnerability being actively exploited.

The risk, of course, is that an attacker could run arbitrary code on the vulnerable system, making this an extremely dangerous threat. 

Microsoft reports that these platforms are specifically affected:

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista

Microsoft’s advisory concluded that “Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment, the attacker could cause the affected system to execute code.”

This is an .ani related threat and may be connected with the vulnerability disclosed earlier in the week and in this security blog “Unpatched Hole in IE 6/7 ….”

Microsoft’s workaround is to open emails in plain text otherwise you just have to avoid untrusted web sites.

The Redmond software giant also specifically warns that this doesn’t do any good if you are using Outlook Express.


 Security settings in Vista and IE 7 mitigate the risk somewhat.

Microsoft is planning a patch but eEye Digital Security has already released an unofficial fix for this zero-day vulnerability. 


NOTE: This is breaking news so please check the Microsoft and eEye sites for any changes. Also, of course, keep an eye on this security blog for major updates. 


My Comment – Microsoft’s work around brings up an interesting question: Does any security conscious IT specialist use Outlook or Outlook Express? I certainly don’t use either one.