A critical vulnerability has surfaced the affects many Microsoft products including Windows XP and Vista, and most versions of Outlook, plus Internet Explorer 6 and 7.

This bug exploits a flaw in how many Microsoft products process animated cursors.

Hey, this is a bad one! And it is not just theoretical, it is already actively in use.

All you have to do is view an infected HTML email or Web page, and your computer can be instantly compromised..

By compromised we mean, “It’s not your computer anymore.”

Microsoft does not have a patch.* They recommend turning off HTML viewing in Outlook (unless you have Outlook 2007, which is not vulnerable.) And be cautions about unknown web pages.

Microsoft Security Advisory (935423)

Fortunately, a patch has been developed by the eEye Digital Security Corp. A description and link for the patch can be found at their web site:

http://research.eeye.com/html/alerts/zeroday/20070328.html

Due to the insidious nature of this vulnerability, we strongly recommend installing the patch.

Alternatively, use a non-Microsoft Browser and email viewer.

* Update: Microsoft has announced that is will be issuing a patch for this exploit on April 3rd, instead of waiting for it’s regular monthly update. Those who have automatic updates enabled should get it automatically. Those who don’t, should visit Windows Updates and Office Updates on April 3rd, and install the patch ASAP.

Posted on Friday, March 30th, 2007 at 9:38 PM and filed under All Posts, Malware, Online Security, Security Tools. You can follow any responses to this post through the RSS 2.0 feed. You can leave a comment, or you may trackback from your own site.