Windows zero-day flaw 'very dangerous,' experts say

With Vista at risk, eEye issues unofficial patch; attacks traced to Chinese hackers

The Windows zero-day bug now being used by attackers is extremely dangerous, security researchers said Friday, and ranks with the Windows Metafile vulnerability of more than a year ago on the potential damage meter.

"This is a good exploit," Roger Thompson, CTO of Exploit Prevention Labs, said in an instant message exchange. "It's very dangerous. One of the reasons is that there's no crash's instantaneous. And all it takes is visiting a site."

Thursday, Microsoft's Security Response Center (MSRC) issued an advisory acknowledging a bug in Windows' animated cursor, a component that lets developers show a short animation at the mouse pointer's location. Attackers, who are already exploiting the bug in limited fashion, can hijack PCs by tempting users to malicious Web sites or by sending them a malformed file via e-mail.

Other researchers waded in Friday with warnings of the animated cursor danger. "This is reminiscent of the former Windows Metafile (WMF) attacks from 2005 and 2006," Ken Dunham, director of VeriSign's iDefense rapid response team, said in an e-mail. "It's trivial to update, multiple sites now host the code in a short period of time, and the highly virulent file exploitation vector within Windows Explorer exists."

In late 2005, exploits of the WMF vulnerability swept through malicious sites and infected thousands of PCs with a raft of malware, including spyware and bot Trojans. Microsoft rushed a patch into place in early January 2006, one of the few times it has gone out-of-cycle with a fix.

"There are a lot of exploits the equivalent of triple lutzes," said Ross Brown, the CEO of eEye Digital Security. "Only those high to the right on the hacker bell curve can pull it off. But this one doesn't need a lot of sophistication.

"It doesn't require a PhD in hacking," Brown said. "The number of people who can use this is huge."

EEye considered it so dangerous that early this morning it released a rare unofficial patch to temporarily plug the dike. This is only the second time that eEye has put out an unsanctioned fix for a Microsoft bug.

"We have some internal criteria for doing that, which this met," said Brown. "First, there's no direct mitigation, no registry switch or kill bit that a user or administrator can set. Second, the patch itself should be unobtrusive. And third, we want to make sure that the patch will unload itself when Microsoft releases its patch."

EEye's fix is "straight-forward," said Brown, who likened it to a shim. "This prevents any animated cursor except those already installed by Windows from being executed," he said. eEye's patch notes said that the fix blocks cursors from being loaded outside of %SystemRoot%, which prevents sites from loading their own, potentially malicious animated cursors.

Brown confirmed that the patch includes code to automatically uninstall itself once a user installs the expected Microsoft fix.

Because simply previewing an HTML e-mail message can result in an infection, Microsoft also provided additional details late Thursday on which of its e-mail clients are safest to use. According to Adrian Stone, an MSRC program manager, Outlook 2007 is invulnerable, as is Vista's Windows Mail -- as long as users don't reply or forward the attacker's messages. The SANS Institute's testing, however, contradicted Microsoft; by SANS' account, Outlook Express in Windows XP, Windows Mail in Vista, and Outlook 2003 in any version of Windows puts users at risk when they simply preview a malicious message. They don't have to actually open the message to be in danger of an infection.

In-the-wild attacks, said Dunham, have been limited so far to those against Windows XP SP2 through Microsoft's Internet Explorer 6 and 7 (IE6 and IE7) browsers. But that won't likely remain the case for long. "Our tests prove that trivial modification is all that's required to update the payload and functionality on multiple operating system builds," he said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments

Cool Tech

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Xiro Drone Xplorer V -3 Axis Gimbal & 1080p Full HD 14MP Camera

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

Gadgets & Things

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >


Learn more >

Family Friendly

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Stocking Stuffer

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?