Microsoft’s .ANI Fix Timeline

Microsoft announced today that it will issue an urgent, out of cycle patch for the ‘recent’ animated cursor vulnerability (CVE-2007-0038)… a whole week ahead of its precious and ill-conceived patch tuesday.

Some would claim that this an example of Microsoft doing the right thing, getting urgent issues resolved quickly and cutting through their own patching release cycle. Upon closer examination you will find this to be false.

This vulnerability affects all version of MS Internet Explorer and Windows. All an attacker would have to do is embed a malicious animated cursor into a web page and anyone who visits the page is ‘auto-attacked’. Its important to keep in mind that sites like myspace allow anyone to modify their own pages and embed anything they like. Its also important to remember that hackers take over legitimate, commercial sites and embed their nastys. They get more bang for their buck that way.

To support my belief that MS is still only talking big and not following through, I present to you the time-line.

December 2006 – Determina discovers .ANI 0-day vulnerability and reports its findings to Microsoft
March 23 2007 – Microsoft releases MSIE patch MS05-020 to fix vulnerabilities related to this. This patch was shoddy and still allowed exploitation of this specific vulnerability
March 26 2007 – Security researchers start to see exploits for this vulnerability in the wild
March 27 2007 Determina releases their own ‘3rd party’ patch to mitigate this vulnerability
March 30 2007 eEye follows suite and releases their own patch
April 3 2007Microsoft releases MS07-017 ‘out of cycle’ to patch this bug

Exposure Times
System exposure since discovery: 93 days*
System exposure since active exploits discovered: 8 days

*This is a conservative estimate. The article states “In December 2006”. For fairness sake this figure assumes 12/31/06 but the figure could in fact be as large as 123 days, if it was discovered 12/01/06