MS Plans Emergency Update to Fix .ANI Bug

A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."

I'm glad ...

[Anonymous Coward]

that ANI will be ok.

Re:I'm glad ...

[morgan_greywolf]

that ANI will be ok.

Not to worry. He later hooks up with a certain senator, becomes a dark sith lord, and eventually becomes the right-hand man of the ruler of the known galaxy. It's only later when his son comes around to finding him that he gets killed.

Oh, wait...

Oh great!

[risk one]

Thanks for the spoiler!

WOW

[blankaBrew]

Is this the WOW that M$ is peddling?

I'm still worried...

[BalorTFL]

Rumor has it ANI was struck by some smooth criminals, who came in through Windows... or something like that.

Re:

[LittleGuy]

Does this make the people who pushed this patch out the door.... ANI-Maniacs?

possible workaround

[slyxter]

Wouldn't setting your own .css file in IE's accessibility options work for this. Just set the .ani to something safe and that should override any website's settings.

Re:possible workaround

[_xeno_]

Yes, but not quite the way you say - you'd want to override the cursor on all elements.

The CSS override would be fairly simple:

* { cursor: text !important; }
/* The next rule returns links to being the little hand cursor: */
a { cursor: pointer !important; }

That overrides the cursor on all elements. The !important is important - the user-specified stylesheet is by default overridden by local pages. However, pages can't override !important rules in the user stylesheet.

However, I have not checked to make sure that using that stylesheet will actually prevent IE from downloading the cursor. For all I know it will still attempt to download the cursor anyway and still be vulnerable.

It *DOES* download it anyway

[_xeno_]

Well, I've had the chance to test it now. Internet Explorer (well, version 6, at least) in fact does download the ANI file anyway even when it's been overridden. I'm guessing it in fact downloads all related CSS resources even if they're never used.

Unfortunately I can't test if IE is actually vulnerable with the stylesheet in place because I'm behind a firewall that prevents me from getting any of the proof-of-concept files. So if someone else wants to test it, let me know.

Re:

[slashd'oh]

Don't forget that IE doesn't understand the "pointer" value for "cursor" - use "hand" instead:

a { cursor: hand !important; }

No

[Opportunist]

It's not just animated cursors, it's EVERYTHING that calls LoadAniIcon See here [zone-h.org] for details (don't worry, not enough details to reproduce it easily, just a pretty neat explanation what's cooking).

What sends shivers up my spine is that I have a jpeg here that seems to work the same way. Now, how likely is it that a jpeg gets loaded in IE? I have that gut feeling that the WMF trojan storm of last year was a gentle breeze compared to this.

I have a hunch that this could maybe be the reason why MS is in such a hurry to fix this. And, while I rarely agree with them, I consider this extremely urgent as well. But only because I know now stronger word than urgent.

Re:

[Bungie]

Thanks for the link! I've been trying to find a detailed report on the vulnerability since it was first announced. That was exactly what I needed to know!

I'd comment if...

[foxpaws]

I'd comment if I could hit the "submit" button with this darned cursor....

Re:

[Anonymous Coward]

Sorry, my bad. Here, let me hit that button for you...

Get rid of patch Tuesday

[Frogmanalien]

Doesn't this just make Patch Tuesday more and more irrelevant- that's at least twice (in my memory) that they have had to release a patch "out-of-cycle". I don't give a monkey about cycles, I just want security patches deployed when they have been tested and are available! Big corporates should be using WSUS to manage patching so there's really no excuse for it catch people off guard in the business world, and I'm sure that most consumers think the same as me- fix my computer, and fix it now!

Re:

[morgan_greywolf]

In fact, many larger enterprises only do updates quarterly, unless there is known to be a live exploit in the wild that a particular patch fixes. They usually have firewalls, anti-virus and anti-malware technologies in place so that updating quarterly isn't a big deal for the most part.

Re:

[Anonymous Coward]

They usually have firewalls, anti-virus and anti-malware technologies in place so that updating quarterly isn't a big deal for the most part.

Wrong. They think it's not a big deal. But it is. It has been shown, without any surprise to security-conscious people, that there were bots and spamming-bots at several Fortune 500 companies. No matter how many anti-virus and firewall you've got, you're not detecting root-exploit hiding in Windows' kernel and communicating by hiding into seemingly regular http/htt

Re:

[rbanffy]

As a friend of mine once said, "you pay peanuts, you buy monkeys".

There is little question a Windows administrator costs less than an experienced unix'er (a monkey can push a couple buttons and create a new user, but using adduser takes at least two working neurons), but the real question is if you want to trust your company's information to somewhat trained monkeys.

Why should I patch

[Anonymous Coward]

the "most secure" OS more than once a month?

Re:

[Anonymous Coward]

WSUS doesn't get you out of the huge testing cycle large corps have to do to make sure new patches don't break any of their many custom in-house-built-apps (as well as purchased apps) before they deploy them. The testing is still easier and less time consuming to do in batches. Rolling out the patches with WSUS is the easy part of the deal. Big corps don't give a monkey about some yahoo on /. who doesn't understand what their process is before rolling out patches. They specifically asked MS to do patch t

Re:

[imemyself]

How many consumers update Windows on a regular basis? And regardless, most consumers have their computers set up so insecure that a patch like this is the least of their worries. Also, large corporations have a helluva lot more to lose than grandma who struggles to send an email. And they also pay more. Why shouldn't MS care more about their large customers?

Re:

[ILikeRed]

Don't complain now... Microsoft has known about this since December of last year - who knows how long the black hats have been using it?

I'm upset because I am responsible for users running Windows, and although I have set policy forbidding the usage of IE, I can't enforce it because of Microsoft tying the browser to the OS. I can't imagine the fits CIO's at bigger firms are having right now, and even more so at financial institutions (e.g. Wells Fargo), and then what if you were managing the network for s

Re:

[evultrole]

I'm upset because I am responsible for users running Windows, and although I have set policy forbidding the usage of IE, I can't enforce it because of Microsoft tying the browser to the OS.

You can still remove I.E. the program while leaving the I.E. rendering engine installed for patching (through I.E. tabs in mozilla or whatnot) without having any real downside effects (programs depending on I.E. still run as they don't use iexplore.exe) I've been doing this for years with XPlite, but you can just as e

Re:

[Thumper_SVX]

Spoken like someone who doesn't deploy patches to an Enterprise.

Do you have any idea the diruption caused by patch deployments even on a monthly cycle? Particularly when reboots are involved?

I realize this is due to bad design on Microsoft's part... but at least with a monthly, predictable cycle I can work with the business to schedule downtime. That's where "Patch Tuesday" comes in.

I also realize that managed patching is the way to go... no matter the release cycle. However, we still end up with the same p

then YOU can make your own patch Tuesday

[r00t]

Want to patch one day per month? Fine. How about one day per year? It's your choice.

Some would rather not delay. They're not getting THEIR choice.

Remember, if Microsoft releases a patch every 30 minutes, you can still choose one day per month to apply them all.

i wonder what kid released the poc and away we go!

[Anonymous Coward]

often this happens because some person released a working example
for windows XP or what not. then a loser or three use this code
to arm their worms. remember, the worm is written many times over,
they just wait for 0day. they do not code anything, but cut and
paste.

who and where is the code? lets thank them for their hard work :-(

Re:i wonder what kid released the poc and away we

[Opportunist]

I have the source for it here in front of me. It's far from trivial (buffer overflows rarely are). A good working understanding of assembler is the bare basics to start understanding what's going on. At the very least you'll need someone who can stuff your worm code into it (even further away from trivial).

This ain't some VB code that you copy, paste and alter. We're talking hand crafted assembler injection code here which does differ a lot from application to application. Just because you have a sample tha

Re:

[Opportunist]

Still, and I hope we can agree upon that simple thing, even to modify an existing exploit code requires more skill than pointing and clicking. Which takes a good deal of wannabes out of the loop.

The 'art' of squeezing your code into the package and pointing the instruction pointer into it is indeed the 'only' difficulty after the exploit has been published. This is indeed not hard when you know what you're doing, but then, what is?

If you REALLY know what you're doing, mentioning that there's a overflow flaw

Timing

[Rubinhood]

I seriously thought that this animated cursor vulnerability was an April 1st joke. Lesson learned: with m$, the most unreal jokes become reality...

Re:

[ColdWetDog]

No grasshopper, you have learned a deeper lesson: reality is a joke.

Perhaps M$ should....

[8127972]

... Just release patches when they are ready as opposed to releasing them in groups on "patch Tuesday" as there seem to be an increasing number of zero-day exploits out in the wild. Consider that it took M$ forever to close the zero-day exploits in Office even though there were exploits in the wild and they even warned users about them [slashdot.org] which IIRC was a highly unusual step for them.

Re:Perhaps M$ should....

[ColdWetDog]

No No No No!

Patch Tuesday is wonderful. That means I can get up Wednesday morning, boot up my wife's PC and not have to deal with "Honey, what's the flashing little shield for again?". And before you ask, yep, it's going to Ubuntu pretty soon. Just got her on Firefox ("where is the blue E thingy now? How come it works different? Did you break the computer again?").

The good news? She now knows what a BSOD is - although I'm saddened to report that it is likely some annoying little hardware problem rather than being a Windows issue per se. Time for the screwdrivers...

Re:Perhaps M$ should....

[sunwukong]

"where is the blue E thingy now? How come it works different? Did you break the computer again?"
Time for the screwdrivers...

And by that you mean the alcoholic beverage, right?

Family tech support: proving S&M tendencies is genetic.

Anti-Windows troll

[DogDude]

Ahh... an anti-Windows zealot shows his true colors... "She now knows what a BSOD is - although I'm saddened to report that it is likely some annoying little hardware problem rather than being a Windows issue per se.". So then, you'd be HAPPY if Windows BSOD'ed for no reason, just so you could jump up and down and point and scream, "SEE??!?!! WINDOWS IS EEEEVIL!!" C'mon. Grow up. If you're married, then you've gotta be at least 16-ish. Instead, you're acting like a 12 year old.

Re:

[Endo13]

Hey, I'd settle for just having them release patches for zero-day vulnerabilities on the first patch Tuesday following the discovery of the vulnerability. But they can't even manage that.

However one thing they could do is release patches as an Optional Software update as soon as they're ready, and then move them to High Priority update status on patch Tuesday.

Re:

[rbochan]

That's going into your file [slashdot.org]!

oh how cute!

[circletimessquare]

look at the cute little fat blue dinosaur wobble!

oh! what gorgeous red prancing pony!

oooh! a spinning coin, it's magic!

ha! i like how the fingers tap as they wait, it makes me smile

wait, what's this?

V1AGRATEENORGYLOANPREAPPROVEDC1A1SDEARSIRIHAVEALAR GESUMINLAGOSNIGERIA...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[blincoln]

It seems that if a small group like ZERT can release a patch in a couple days [isotf.org], a company with purse strings like MS should be able to release a supported patch in less than four months!

There's a difference between a quick hack and a properly-written and -tested patch. Please don't fall victim to the belief that just because white/grey-hat hackers can do something quickly, they are doing it in a way that is robust enough to work in an enterprise-scale deployment, and comprehensively solves the ro

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[smash]

Granted, however my experience is that the larger the organisation, the less efficient and sloth-like it is.

I've worked for 4 companies of various sizes, and been able to get more done in a 2 person organisation than I can in a 2500 employee company simply because in the 2500 employee company, everything needs to go to committee chaired by idiots who have no idea with regards to the problem in question, no one wants to take responsibility, and no one has the balls to make a decision.

It's more serious than just "blinking".

[Opportunist]

It's a buffer overflow that allows you to execute arbitrary code. Much like the WMF exploit a year ago. But more serious. I have a sample here that opens a program just by browsing (with the explorer) into the directory that contains it.

Nasty sh.t. Even downloading and wanting to dissect it with some disassembler is already enough to set it off, the moment you use the open dialog of your dis.

Re:

[shird]

The WMF 'exploit' was actually 'by design' and supposed to execute code, it was a feature. Originally used to handle cases where an abort or something is required when rendering and the WMF file itself could contain a callback consisting of code to handle it. (I forget the exact details, but its something like that).

A buffer overflow is something completely different.

I just don't understand why an internet browser would be attempting to download and parse an .ANI file automatically without prompting the use

Re:

[Opportunist]

Actually the WMF exploit was a buffer overflow issue. Yes, it was a bug in the escape function that allows you to pass code, but the actual problem was that the buffer you're writing to was located on the stack (and still is, afaik), and it was not checked whether you try to fill more into it than you should. That's what happens when you let the user set how many bytes he wants to use but offer him a static field to write into. It was bound to happen, if not by malice then by accident.

I don't understand why

Microsoft's security gnomes

[MillionthMonkey]

Microsoft's security gnomes have been working round the clock to produce and test a fix and explains the rationale for Redmond's unusual (but far from unprecedented) decision to publish an out-of-sequence fix.

Dear Microsoft,
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old.

Dear Customer..

[Savage-Rabbit]

Dear Microsoft,
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old.

Dear Customer,
Unfortunately a hoard of deranged Mac users has invaded the Microsoft Development Center. They seized the security gnome's cave and their slashdot troll is currently blocking the entrance. Unfortunately, at the time this happened, we had just successfully repelled a massive frontal assault on our development center by a hoard of torch and pitchfork wielding penguins and as a result we were to low on throwing chairs to repel the second assault. We are sorry if this causes you any inconvenience but until the next consignment of hand made throwing chairs arrives from Italy allowing Mr Ballmer to lead us in a fresh asssault to retake the security gnome's cave we will be unable to help you with your problem. Please accept this conciliatory bucket of Microsoft® Fried Penguin drumsticks and a bottle of Microsoft Windows Vista® Kool-Aid free of charge as compensation for any inconvenience this may have caused you.

Regards

The Microsoft Support Team.

Re:

[MillionthMonkey]

Oh but Linux supports animated cursors, therefore they are the source of all goodness. But Linux doesn't have buffer overflows anywhere, so it's fine.

Merely being able to support a stupid feature on an OS platform, if someone chooses to install it, isn't quite the same as bundling the stupid feature into the operating system itself- i.e. into a browser that was forcefully (and without too much foresight) jammed up the OS hard to bamboozle a judge. All other operating systems allow you to uninstall a piece o

hmm

[mastershake_phd]

I never did trust that animated peace sign.

Where do you want to go today?

[192939495969798999]

To Windows Update, same as every day!

NOCs are at a higher risk

[A_Non_Moose]

...because they're not staring at the blinky cursors, but at the blinky lights on the switches.

Like, for instance that switch over th...Oooohhh, blinky lights. Pretty.

Parser error!

[DigitAl56K]

"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."

The Reg clearly structured this sentence knowing it would make front page on /.

Re:

[Plutonite]

Yes, my mental parser BSODed on that as well. I even tried to put in a period after "Tuesday", but it is still rubbish. Ya know, it wouldn't harm the editors if they just READ the summary, casually even, and post it if they manage to NOT die in agony. By God it is not too much to ask!

Funnily enough, the April Fools stories were eerily free of error. I wonder if they were trying to say something.

Impacted browsers

[eraser.cpp]

It should be noted that while both IE 6 and IE 7 are vulnerable in Windows XP, the damage in IE 7 in Vista is quite limited in its default "protected" mode.

Re:

[Skiron]

"...the damage in IE 7 in Vista is quite limited in its default "protected" mode."

I think if you are running Vista, you are _damaged_ enough anyway.

Re:

[Fred_A]

I think if you are running Vista, you are _damaged_ enough anyway.

Your bias is showing. In protected mode, all you have to do is unplug your mouse and you're perfectly safe.

Re:

[drinkypoo]

The browser runs in a sandbox. If you download an ANI file and view it (or even visit the directory containing it) then you could have issues. But loading it in IE from a website shouldn't harm you.

Re:Impacted browsers

[TheNetAvenger]

Yes it is true that the vulnerbility is limited on Vista since IE runs with lower permissions than the user and cannot harm anything that IE cannot touch, and IE cannot touch hardly anything in Vista.

Also where in the heck do you get that GUI runs in kernel space? You seriously need to read up a bit on NT, as the Win32 subsystem itself doesn't even get to run in the kernel, let alone the GUI attached to it.

You are probably confusing video drivers that were moved to the kernel level for game performance in NT4, Win2k and WinXP, but have been moved back to User space in Vista due to a new way to harness the same level of kernel level driver performance without pushing the drivers into the kernel. (Which is actually quite clever technology if anyone is a OS Kernel nerd.)

Could you elaborate?

[mosel-saar-ruwer]

You are probably confusing video drivers that were moved to the kernel level for game performance in NT4, Win2k and WinXP, but have been moved back to User space in Vista due to a new way to harness the same level of kernel level driver performance without pushing the drivers into the kernel. (Which is actually quite clever technology if anyone is a OS Kernel nerd.)

I actually thought NT 3.51 was an exceedingly elegant system - it booted to a DOS-ish shell, you had to type "WIN" [for win.exe] if you wante

Re:Could you elaborate?

[TheNetAvenger]

actually thought NT 3.51 was an exceedingly elegant system - it booted to a DOS-ish shell, you had to type "WIN" [for win.exe] if you wanted to load the windows graphics subsystem, and the entire "environment" was pure client[user space]/server[kernel space], with the graphics "client" living entirely in user space.

Um... NT 3.1, 3.5, and 3.51 all booted to the Win32 subsystem GUI. You are somehow confusing Win 3.1 or something here. NT has always used Win32 as its primary subsystem, and been graphical.

So what is this "quite clever technology" that allows Vista to return to the older model?

In lay terms, MS breaks the driver into two parts. The MS side is a kernel level interface that translates up to user mode for the MFR driver.

This is really smart for a couple of reasons.

1) It gives the performance of a kernel level driver without explosing the system to a 3rd party driver in kernel space.

2) It also allows Vista to do things even NT pre 4.0 couldn't do, like live swap video (i.e. you can remove the video card and it doesn't crash the OS.) Not only can portable and external display devices connect and disconnect effortlessly, but no matter how bad a video driver is, once Vista is running it takes an act of God for the video driver to crash the OS or leave the OS without video.

As external PCI express devices become more popular, especially for laptops, you can effortlessly switch from the onboard video to the dock or external display device. I have done this while watching a movie in Media Center and the pause to flip was less than 1 sec and it didn't even lose a frame of video.

Basically Vista can restart the video driver by virtually unplugging the video card and turning it back on, and then if the driver continues to fail Vista will continue through several steps including turning off the video again and dropping to a generic VGA driver and restarting the video card. Eventually it will even try to activate a second video device if one is present in the system and the main video won't turn back on even with generic drivers if the card is damaged.

So not only is it better protected from a bad video driver, it has a rather intelligent recovery process so that the user isn't left with a blank screen.

No, 3.51 was teh r0x0r

[mosel-saar-ruwer]

Um... NT 3.1, 3.5, and 3.51 all booted to the Win32 subsystem GUI. You are somehow confusing Win 3.1 or something here. NT has always used Win32 as its primary subsystem, and been graphical.

No, dude, you could boot NT 3.51 without graphics.

Just like with Windows 3.11 running on top of DOS, with NT 3.51 you could type "WIN" at a shell prompt and start the windows system.

It was absolutely teh r0x0r - possibly the coolest product Microsoft ever released.

Re:

[TheNetAvenger]

No, dude, you could boot NT 3.51 without graphics.

Just like with Windows 3.11 running on top of DOS, with NT 3.51 you could type "WIN" at a shell prompt and start the windows system.


Um, no you couldn't...

NT has always booted directly to its GUI with the only exception being the "recovery console" in XP or the new boot mode in Vista that is quite like the recovery console in XP, but running the full NT kernel.

http://en.wikipedia.org/wiki/Windows_Startup_Proce ss [wikipedia.org]

NT has NEVER booted to a command line and requi

Dude, you're wrong.

[mosel-saar-ruwer]

NT has NEVER booted to a command line and required someone to type 'win' to boot the GUI. Just like a Mac has never booted to a command line. There is nothing under NT. Understand?

Dude - in NT 3.51, you could kill the windowing system.

Kinda like how you can kill "explorer.exe" in more recent versions of windows, and it sorta kills your "Active Desktop" before it [usually] reloads itself, only in NT 3.51, when you killed windows, you were left with a shell prompt, and you had to run "WIN.EXE" to restart

Re:

[TheNetAvenger]

Kinda like how you can kill "explorer.exe" in more recent versions of windows, and it sorta kills your "Active Desktop" before it [usually] reloads itself, only in NT 3.51, when you killed windows, you were left with a shell prompt, and you had to run "WIN.EXE" to restart windows.

It was just like loading or unloading X-Windows on a Unix system.

Ok, Dude, NO YOU COULDN'T... You are freaking insane...

NT lacks a command-line-driven kernel. PERIOD!!!! There is no freaking way you could boot to a command line in

wrong: large chunks of the GUI are in the kernel

[r00t]

So they moved SOME of the GUI out, supposedly.

Huge portions are definitely still there.

Works flawlessly

[Opportunist]

Since you're not "downloading" the cursor and executing it, but the cursor itself is a malformed file that manipulates the executable that runs "around" it (i.e. the IE7), there is no sandbox around you. The IE7 gets attacked and its flow of operation redirected (well, not really, actually it's a function of a DLL the IE uses, but that's what basically happens).

Re:

[TheNetAvenger]

Since you're not "downloading" the cursor and executing it, but the cursor itself is a malformed file that manipulates the executable that runs "around" it (i.e. the IE7), there is no sandbox around you. The IE7 gets attacked and its flow of operation redirected (well, not really, actually it's a function of a DLL the IE uses, but that's what basically happens).

The point is that no matter how the exploit runs, it cannot elevate its privileges above the originating EXE/DLL invoking the code.

In Vista, IE runs

Re:

[pe1chl]

You mean that this feature is only available to IE, and you cannot install a user-written appication that has the same privilege system?

I smell an antitrust lawsuit... such a feature should be determined by ACL on the .exe or systemcall from within the .exe, not by "magic mechanism"...

Re:

[Giometrix]

"You mean that this feature is only available to IE, and you cannot install a user-written appication that has the same privilege system?

I smell an antitrust lawsuit... such a feature should be determined by ACL on the .exe or systemcall from within the .exe, not by "magic mechanism"..."

Are you sure about that, or just speculating? I'm just curious.... as this seems like it could be useful in other types of apps as well.

Re:

[TheNetAvenger]

Nope any application can lower their privledges, they just don't choose to do so...

Re:

[Opportunist]

That depends. After all we're talking a stack overflow here, something that by its very nature doesn't care too much for access privileges. All that has to happen here is an injection in a relevant DLL.

Since DLLs don't run on privilege levels by themselves, being no standalone applications, they depend on the privileges available to the calling functions. Now, LoadAniIcon is (afaik) located in the user32.dll, and this dll is also used by the shell...

I agree, it ain't easy. But boy, is it rewarding!

Re:

[thisispurefud]

you wrong! because if the exploit is launched by IE7 then the dll code is executed with the same IE7 privileges which are very very low

Re:

[Opportunist]

What bothers me is that the explorer shows the same behaviour. And I'm not sure if the IE itself is doing the call, it might well be that it hands over the task to the explorer, and that could get ugly.

Re:

[TheNetAvenger]

And I'm not sure if the IE itself is doing the call, it might well be that it hands over the task to the explorer, and that could get ugly.

Vista IE can't hand anything over to explorer. It can't even open freaking notepad to view a page's source code without getting permission.

Re:

[FutureDomain]

In a strange twist, this makes IE on Vista safer than Firefox or any other browser that runs with user level privileges.

Not really, I run Firefox through Drop My Rights [microsoft.com] which demotes it to limited user rights. It works on both Windows XP and Vista, and it works perfectly normal as a limited user mode (I haven't tried it in constrained or untrusted mode).

Re:

[pe1chl]

It should also be noted that only badly managed systems, where the logged-in user has administrator privileges all the time, are really vulnerable.

"protected" mode

[r00t]

You trust that? Your confidence amuses me.

Why all this planning and press releasing

[jhfry]

Give us the patch already... I mean hell... they are telling us when it will be released... which means they have written it an tested it to some degree already.

They are probably using this few days to figure out how they can spin the whole issue to make them look good!

I don't know why I even care... this bug doesn't effect me in the least.

Even more proof

[unborracho]

That publishing security vulnerabilities on the public internet will get the issue resolved faster than simply privately notifying the company responsible for making the fix.

Gates "dares anybody" to exploit vista

[bl8n8r]

So I wonder if this[0] was just a run-of-the-mill dare where nobody really cares if you do it or not, or a double-dog dare, or the greatly feared TRIPLE-dog dare? Especially since "We made it way harder for guys to do exploits" [1]

[0] - http://blogs.zdnet.com/Apple/?p=422 [zdnet.com]
[1] - http://www.toptechnews.com/story.xhtml?story_id=49 854 [toptechnews.com]

At last!

[Farmer Tim]

MS plans emergency update to fix blinking cursor bug.

Now all they need to do is fix the blinking Active X bugs, the blinking default open ports, the blinking UAC, and all the other blinking problems.

Pardon my language...

Speaking of which...

[Jugalator]

I wonder, would Bill Gates and Steve Ballmer taken together be two anii?

As Scotty said once

[thewils]

"The more you try to overtake the plumbing, the easier it is to clog up the drain."

Microsoft please take note.

Re:

[UncleTogie]

Scotty never said ANYthing about being about to outrun plumbing.

WTF?! Can't be...

[__aaclcg7560]

I haven't seen an ANSI bug since my days as a BBS sysop years ago.

Detected on Linux SMB Server...

[Temujin_12]

Interestingly, clamav's weekly scan of my home Linux server caught Exploit.Win32.MS05-002.Gen [bitdefender.com] in a few mp3 files and a tar.gz file. They weren't important files so I just deleted them. I have several Windows XP Professional machines that access it (the mp3s dir is used as the library root for windows media players).

BitDefender's description of their detection of this virus:

This generic detection targets .ANI files that contain malicious code addressing Integer overflow in the LoadImage API Vulnerability [secunia.com]