Microsoft today released a patch for the critical-rated vulnerability in animated cursors that has been widely reported by me in this blog and elsewhere.
Microsoft Security Bulletin MS07-017 is a patch for a remote execution vulnerability that is already being exploited.
But, in addition to that .ani file vulnerability, this security bulletin addresses a total of seven vulnerabilities affecting different platforms and having different ratings for each platform (see the bulletin for details).
- GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758)
- WMF Denial of Service Vulnerability (CVE-2007-1211)
- EMF Elevation of Privilege Vulnerability (CVE-2007-1212)
- GDI Invalid Window Size Elevation of Privilege Vulnerability (CVE-2006-5586)
- Windows Animated Cursor Remote Code Execution Vulnerability (CVE-2007-0038)
- GDI Incorrect Parameter Local Elevation of Privilege Vulnerability (CVE-2007-1215)
- Font Rasterizer Vulnerability (CVE-2007-1213)
Of these, the animated cursor remote code execution threat is rated critical across all platforms, INCLUDING the current release of Vista.
Some of these vulnerabilities had been disclosed publicly before the release of this series of patches, but only the animated cursor threat had been exploited.
Affected platforms are Windows 2000 SP4, XP SP2, Windows Server 2003, WS2003 SP1, WS2003 SP2, and Windows Vista. The vulnerabilities also apply to x64 and Itanium editions.
MS07-017 replaces MS06-001 and MS05-053 for W2K, XP, and Windows Server operating systems, but it replaces MS05-002 ONLY for Windows Server 2003 (not WS2003 SP1 or SP2). The replaced bulletins predate Vista.
Microsoft only describes workarounds for the WMF DoS and animated cursor vulnerabilities; in both instances, the recommendation is to open e-mail in plain text.
Significant mitigating factors are only described for the animated cursor threat:
"Customers who are using Windows Internet Explorer 7 on Windows Vista are protected from currently known Web-based attacks due to Internet Explorer Protected Mode."
Also, for Microsoft Office Outlook 2007, using default settings would protect against this attack.
Since there are significant mitigating factors for Vista users, while this is still rated a critical security bulletin for the new platform, the actual threat doesn't appear to be very big.