The ANI cursor flaw patch fixes a dangerous Windows animated cursor vulnerability that leaves the door wide open for attackers to take complete control of a computer system. It is one of only a few out-of-cycle patches released since Microsoft launched its "Patch Tuesday" concept.

"The issue with the ANI cursor flaw is the severity of not just the vulnerability but the active exploitation of it," said Craig Schmugar, threat research manager for McAfee Avert Labs. "Usually people are balancing risk of deploying the patch versus the risk of not deploying the patch. In this case, the risk of not deploying is high."

Indeed, VeriSign's iDefense rapid-response team reports over 150 different samples and links pointing back to ANI exploitation. Websense, Symantec, and McAfee also have been monitoring attacks against the flaw.

Looking for Fixes

Anxious to safeguard systems from what some security experts are warning is an extremely critical flaw that could have long-term repercussions, I.T. administrators might have turned to one of several third-party patches to address the ANI cursor flaw while waiting for Microsoft's quality-assuring testing.

Indeed, third-party patches abound for the ANI cursor flaw. Vendors including eEye Digital Security, Determina, and the Zero-Day Emergency Response Team (ZERT), a coalition of security engineers that work to release nonvendor patches to fix zero-day vulnerabilities, have demonstrated that it's possible to move quickly to plug security holes.

"While third-party vendors such as eEye and ZERT Group have made an unofficial fix available, PatchLink recommends that organizations wait for the official patch from Microsoft," said Don Leatham, director of solutions and strategy for PatchLink Corporation. "Deploying third-party patches is risky and as the official patch vendor, Microsoft, has a specific knowledge and understanding of the underlining code."

Ongoing Attacks

Users of most supported versions of Windows and Windows Server, including Vista, are at risk of attackers taking complete control of their unpatched system. However, Microsoft offered a silver lining: Users running Windows Vista and Internet Explorer 7 in protect mode should be safe because the security feature doesn't allow files to access or modify any system files without user permission.

Microsoft said that, in order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or e-mail attachment sent to them by an attacker.

That makes it different in nature than the Zotob worm of 2005. While Zotob was a self-executing worm -- a machine could get infected without any user interaction -- firewalls would typically mitigate the risk. Firewalls don't safeguard users from the ANI cursor vulnerability, but user interaction is required.

Still, there are some similarities worth noting, security researchers said. Both threats are severe and both could have long-term impacts on the security world.

"Now that the patch is available, this doesn't mean the worst is over. We expect the attacks to continue to pick up," Schmugar said. "In the past we've seen vulnerabilities that were patched for months rising to the top of the exploit chart. Attackers are going to be crafting their exploits around this vulnerability for some time."