Network News

X My Profile
View More Activity

Microsoft Rushes Out a Security Update

Microsoft Corp. yesterday said it plans to issue a software update on Tuesday to fix a dangerous security flaw in its Windows operating system -- a flaw that cyber criminals are actively targeting to gain access to computers across the Internet. The update will come a week in advance of Microsoft's official patch release schedule, which typically falls on the second Tuesday of each month.

Microsoft's urgency was no doubt spurred in part by unofficial software patches provided by third-party security software vendors, including eEye Digital Security, Determina, and the Zero-Day Emergency Response Team (ZERT), a coalition of security experts focused on providing quick fixes for unpatched software flaws that pose serious risk to computer users.

For the past week, criminals been exploiting the vulnerability, which stems from a flaw in the way that Windows renders animated cursor files (to conceptualize this built-in capability, think of cute mouse arrows that leave a trail behind when you move them). By convincing a Windows user to open a specially crafted e-mail or to visit a Web site that is currently hosting the exploit, attackers can take complete control over almost any Windows computer in use today.

Microsoft deserves credit for pushing this patch out quickly. The SANS Internet Storm Center, which monitors malicious hacking trends, moved to Internet Threat Level Yellow amid reports that several blasts of junk e-mail were observed exploiting the vulnerability, and that an expanding number of malicious Web sites were hosting the exploit. This was one of a half-dozen times SANS has moved to the heightened threat level in the past two years.

On Saturday, I delivered a keynote speech at the SANS 2007 annual conference in San Diego, a talk that looked at the myriad sources of and contributing factors to the global cyber crime problem we are faced with today. One of my slides suggested that Microsoft adopt a more consumer-friendly approach to addressing extremely high-threat problems like this.

I noted that Microsoft's monthly "Patch Tuesday" cycle has traditionally been fashioned around concerns raised by businesses. Specifically, Microsoft has said that the most time-consuming portion of its patch process lies in testing the fix to ensure that it does not interfere with the proper functioning of third-party software applications that many companies use.

Clearly, these criteria are of little concern to the millions of home users and small/home office customers who do not typically deploy the types of enterprise software most commonly impaired by insufficiently tested Microsoft patches. Still, it is a tad unsettling that Microsoft has known about this flaw for some time now. Software security testing company Determina said last week that it originally alerted Microsoft to the flaw in December, well in advance of recent evidence that bad guys were exploiting it for commercial gain.

For a variety of reasons, Security Fix cannot endorse any of these third-party updates at this time. But here's hoping Microsoft's out-of-cycle patch release is a sign of new thinking at the company.

By Brian Krebs  |  April 2, 2007; 1:20 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Attackers Exploit Unpatched Explorer Flaw
Next: Microsoft Issues Emergency Patch



Posted by: Ken | April 2, 2007 2:18 PM | Report abuse

Microsoft has Dominated the market, and is practically the monopoly of operating system... Fine, But now take on the responsibility for security. If you are gonna be the top dog, then you better have the sharpest teeth

Posted by: Del Cagle | April 2, 2007 2:19 PM | Report abuse

I like holes, they are fun!

Posted by: Me | April 2, 2007 2:31 PM | Report abuse

MS knew about this problem in NOVEMBER! Why has it taken them FOUR MONTHS to patch the hole? Trustworthy computing?!? I think not.

Posted by: CharlieJ | April 2, 2007 2:57 PM | Report abuse

Microsoft may have a parcial monopoly. But this is just what he other OS Companies are waiting for. This is like an open door to get into the market. Microsoft needes to pick up the slack.

Posted by: bren | April 2, 2007 3:14 PM | Report abuse

People, they have already stated this problem does NOT affect Vista IE7, as it uses a Sandbox to run code safely. It also does NOT affect Outlook 2007, but Mail, the "Express" version of Outlook.

There is a reason Microsoft doesn't care about this "security flaw." It's only a major concern under IE6/XP/2000.

Posted by: Cody | April 2, 2007 3:53 PM | Report abuse

"Rushes out" - Reads like a statement of finished fact. I've been reading everyone else's articles on this and the consensus is that Microsoft "Will" release a patch.
As of right now, (Apr 2, 14:30 MTDST) It has not.

Posted by: Anonymous | April 2, 2007 3:59 PM | Report abuse

"Over the past week, criminals been exploiting the vulnerability..."

This flaw is no more malicious than any piece of spyware or malware out there right now - it still takes the action of a user to trigger it. Which means, that Joe User who barely knows how to turn a PC on will be just as likely to get hit by this, as well as the other viruses and "Anna Kornikova" screensavers he clicks upon.

There is no patch for stupidity.

Posted by: Bill | April 2, 2007 4:10 PM | Report abuse

Man arn't you the optimist, new thinking at Microsoft he heh heh. I won't hold my breath.

Posted by: Gentry | April 2, 2007 4:12 PM | Report abuse

i find it completely obsurd that Mycrudsoft would wait to release an "available" fix to a critical security flaw. so what, Mycrudsoft now thinks its better to release a critical fix in a scheduled manner as opposed to getting the fix out (available) asap. no wonder Mycrudsoft will never be secure like they claim to be and act!

Posted by: Chuck | April 2, 2007 4:32 PM | Report abuse

Microsoft deserves credit for pushing this patch out quickly.


Um, yeah, all things considered -- like SANS, third-party fixes, and Security Fix (take a bow bk).

I will bet that the -- buy more Vista -- solution did not go down very well with IT managers and was a very good reason to ignore the business software cycle. Then again I (the Marquette alumnus) bet on Georgetown :P

Posted by: GTexas | April 2, 2007 5:25 PM | Report abuse

I am running Vista, the fewer that choose to adopt it early the better. Heck, the device driver companies aren't even making code that works well on this OS yet...
If I wanted to get to the most people that are the most vulnerable, I would be targeting 2000/XP-IE6.
Heck, I bet there are more MAC users than Vista users today (may not be that way in the coming months) But if I were a nefarious individual and had to write/work on three different codes to sack, pillage or plunder I wouldn't be going after Vista users just yet unless MS just happened to port the code forward, and they wouldn't do something like that! Would They?

Posted by: Path of Least resistance | April 2, 2007 7:38 PM | Report abuse

I think if everyone affected by this flaw should get together and form a class action lawsuit. That would get their attention.

Posted by: DR | April 2, 2007 7:52 PM | Report abuse


Posted by: COMPUTER SCIENTIST | April 2, 2007 10:05 PM | Report abuse

In reading this article, I found it a bit troublesome. You first state that "Microsoft deserves credit for pushing this patch out quickly," but towards the end you state that MS knew about the issue since December. I would accept that they were quick to issue a statement and that they are working feverishly to fix something that attackers were now exploiting. Have they been working hard for the past 3 months? YIKES! no wonder it takes MS 5+ years for a "new" OS when it takes them 3 months to fix an animated mouse cursor!

What I find most troubling about this issue is that a mouse cursor file is an exploit vector AND that in order to apply the patch a reboot of the system will be required. (Other articles reference MS comments that this functionality is deep within Windows - hence the reboot and amount of time to deliver a patch.) WOW! Does anyone remember having to reboot Windows 95 when you changed the IP?

Please, if anyone has any contacts at MS, please ask them to provide some flexibility. Solaris recently had a telnet vulnerability. But this service could be disabled and replaced by something more secure (SSH). Even if telnet could not be turned off, there are other wrapper apps that provide some added security (tcpwrappers anyone).

I digress, spin the article any way you want.

Posted by: Anonymous | April 2, 2007 10:20 PM | Report abuse

Microsoft knew about this problem in 1984, by God!
If they can't figure out how to fix all the possible vulnerability permutations in TCP/IP well--they should be horsewhipped!!!!

Posted by: Linus | April 2, 2007 10:28 PM | Report abuse

well, if you p-r-imp your PC with cutesy cursors that are "free" perhaps you get what you deserve

Posted by: OhioMC | April 2, 2007 10:52 PM | Report abuse

OK Computer Scientist, I am unimpressed by your all caps screaming. Also, I would like to point out that the kernel running in XP is based on the NT kernel which most assuredly was designed with security in mind! I am no Microsoft lover myself, but I don't like your foolishness either.

Posted by: Software Engineer | April 2, 2007 11:11 PM | Report abuse


I totally ignore anyone who SHOUTS their entire post. I'm sure many others do the same.

Your SHOUTING post shows the same respect to the readers of this column that Microsucks shows to their customers - none.

Posted by: Mike in Baltimore | April 2, 2007 11:47 PM | Report abuse


So, you're a computer scientist? Wow! We must all bow down before you. It's a shame that you haven't learned how to type without using all caps. And a 10 page paper? That's about 4 hours of typing and research. So what's impressive about that? I've written 10 page papers about McDonald's. It doesn't prove anything.
You know, my mother bought herself a computer, and put in RAM all by herself. Does that make her a COMPUTER SCIENTIST too? I bet it would if $h3 7y93d 71k3 th!$.


Posted by: Another Mike | April 3, 2007 12:48 AM | Report abuse

I see this malicious code does not run on Vista/IE7. Dump those other versions, get Vista, Office 2007 and use IE7 exclusively. Everyone asked and asked and asked and complained for more security, so for goodness sakes, use it! Why do all these articles not point out that all the major AV companies have issued safeguards for this exploit? You all just needed something to talk about? Talk about getting people off their butts and move ahead in the digital world - get Vista/Office 2007/IE7 and use a good AV solution, I use Windows Live OneCare - not an issue (which I prove by running other scanners out there occasionally)..... What is more important, your pictures or your bank and credit card info? No brainer to me. Solution on both: back up your data and upgrade....simple.

Posted by: Master Guru | April 3, 2007 4:51 AM | Report abuse

"Microsoft deserves credit for pushing this patch out quickly."

No way. It took them three months.

You see with closed source proprietary systems you have to trust the developers when they tell you their system is secure, because you have no way of auditing the software code.

May I recommend you switch to Ubuntu when a new version is released on April 19.

Posted by: eclectica | April 3, 2007 6:38 AM | Report abuse

And who is trying to catch the spammers who send these "blasts of junk e-mail"? The answer my friend is blowing in the wind ....

Posted by: hatespam | April 3, 2007 8:45 AM | Report abuse

Why in the world would anybody still be using the Internet Explorer?

Posted by: FireFox User | April 3, 2007 8:47 AM | Report abuse

Master Guru ... get real! Most people's PCs are not capable of running Vista. Do you really think everyone should go and buy a new PC ?
I gave up on windows years ago as a safe way to access the internet. There are many great Linux distros available that offer many times the security of any windows system .. including Vista .. and they run on the PC that you already have.
If you want to use windows for all of your legacy apps .. fine, but if you use it to access the internet you're going to get hit.
Smarten up folks .. get Linux.

Posted by: linux user | April 3, 2007 9:40 AM | Report abuse

First, I am really upset at Microsoftie for not fixing this bug earlier when they were informed about it back in December. SHAME ON YOU MICROSOFT!!!!!!!!

Vista will likely be a more secure operating system than its predecessors but as someone said earlier, old code is being brought in from back in the 80's (maybe not that far but close).

So, Microsoft Windows One Care protected against exploitation of this vulnerability VERY soon after it was discovered. So, all of the One Care customers were protected. I think Microsoft should include this software for FREE in its freaking super expensive software price. It should not be our responsibility to protect ourselves from their poor programming decisions.

Posted by: Rocket Surgeon | April 3, 2007 11:16 AM | Report abuse

And to add to this. The entire world of technology has to scramble to protect their users. Intrusion detection/prevention companies have to frantically write new detection. Anti-virus vendors have to do the same. Sysadmins all over the world have to look at their environment to asses the risk of the vulnerability and try and use workarounds along with bandaides and bubble gum. Then they have to go back and undo all of this for the time that Microsoftie releases the patch.

Your average end user (grandma, mother, etc) is absolutely clueless to the vulnerability in the first place. So these are the victims of identity theft because Microsoft isn't reaching out quick enough to protect them.

Sorry, but the more I think about this the more pissed off I get.

And no, I am not going to jump on the Mac band wagon for this either. They are just as bad if not worse in responding to security matters. They go even further into the gutter by denying a vulnerability (that actually exists) exists.

Posted by: Rocket Surgeon | April 3, 2007 12:00 PM | Report abuse

When you write code for programs it is near impossible to forsee all the changes that can be inserted by hackers. Hackers spend long hours studying the scource code in programs, and inserting commands until they are sucessful at exploiting the code. I for one feel Microsoft should act in a more timely mannner when they discover vulnerabilities in thier code, to make a patch available to users of thier OS.
The inexperienced computer users are the most vulnerable to hackers on the INet. New users should be better educated on use of security B4 they attempt to learn to surf the net. MS could setup community programs to deal with the inexperience of newbies, and what they need to know about being secure(PUN) with their Email, downloads, and the dangers of not running virus/trojan/spyware scans on a regular daily basis. There is money to be made on the INet, both legal and illegal, hackers are not going to go away unless it becomes to expensive and dangerous for them.
The internet is a wonderful place, but it is also dangerous, be forwarned act accordingly.

Posted by: Jac and Jules | April 3, 2007 12:51 PM | Report abuse

I run XP and when I retire this old laptop I'm switching to Linux or Mac. Forget Vista. I haven't decided yet but I'm leaning toward Linux. I'm pretty sure Linux and Macs have security holes also but since Windows has a massive market share the hackers get the most bang by exploiting Windows. But it will be a long time, if ever, that Linux & Macs gain significant market share. Therefore, piss-off Microsoft, I'm switching!

Posted by: Anonymous | April 3, 2007 1:14 PM | Report abuse

Jac and Jules,

There is a lot that awareness and training will not protect you from. For instance, say grandma loves to see pictures from a trusted site where others are allowed to upload them. In this case, an evil cursor file could be renamed to a JPEG and grandma, or whoever, gets infected.

Here is the way Microsoft sees it:

"In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker."

"an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability "

This is NOT true.

"An attacker would have no way to force users to visit a Web site Instead, an attacker would have to persuade them to visit the Web site"

This is just not true. For instance, I am an evil attacker. I want to prepare for a large attack against something that processes images or some other file that can be renamed an image format. I get myspace users to use my cute huggable images "thanks for the add", etc, and down the road when an unpatched exploit comes out I simply replace the image on my server with the evil one.

The real dangers are from trusted websites, not those hosted in Romania or Russia, China, etc.

Posted by: Rocket Surgeon | April 3, 2007 1:47 PM | Report abuse

Rushes out is right- watch out for the following error message on reboot:

The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occured because the DLL C:\WINDOWS\system32\HHCTRL.OCX occupied an address range reserved for Windows system DLLs.

screenshot here:

Posted by: FreewheelinFrank | April 3, 2007 2:42 PM | Report abuse

It seems the overall consensus here is outright whining!!!!

As such, my two cents! Get over it!!!!!

The real security issue with ANY operating system is the USER!!!!!!!

Dont' like Microsoft? Stop using it!!!!!!!!

If Microsoft is so bad......

Why is it that this user has NEVER experienced a security issue in the last ten years?????

It's NOT the software stupid!!!!! It's the USER!!!!!!!!!

Posted by: TJ | April 3, 2007 3:08 PM | Report abuse

An obvious Windows weenie.

Posted by: Anonymous | April 3, 2007 3:13 PM | Report abuse

TJ is obviously not responsible for the 'users' like some of us are. Even a security professional like myself can get infected with something evil if there isn't even a workaround for an unpatched flaw.

Posted by: Rocket Surgeon | April 3, 2007 3:35 PM | Report abuse

Update on the error message:

When you start a computer that is running Microsoft Windows XP with Service Pack 2, the Realtek HD Audio Control Panel may not start. Additionally, you may receive the following error message:
Rthdcpl.exe - Illegal System DLL Relocation

The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:\Windows\System32\Hhctrl.ocx occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.
This problem occurs when the Realtek HD Audio Control Panel (Rthdcpl.exe) by Realtek Semiconductor Corporation is installed.

The website is advising to call the MS support number where they may or may not charge for the privilege of receiving the hotfix.

Posted by: FreewheelinFrank | April 3, 2007 3:36 PM | Report abuse

This particular microsoft security update crashed both my and my friend's computer. It conflicted with Realtek audio manager and moves a necessary DLL file. It also provides a blue screen of death.

When will the idiot eggheads at Microsoft test the security updates before they release it to the population. We don't need downtime. We need our computers for work.

Posted by: Daniel Ng | April 3, 2007 4:20 PM | Report abuse

If Realtek would get off their butts and issue up to date drivers for Vista, this in all likelihood would NOT have been an issue. Why would Microsoft spend time testing an update on hardware even the manufacturer will not support on Vista? This is NOT a Microsoft issue it is a Realtek issue........

Now as for the freaks who want to drag this out into a Windows/Mac/Linux is not a Windows/Mac/Linux issue.....plenty of code is out there that was written specifically to attack those other systems and anyone with half a brain knows it. They are no more secure than Windows and certainly not more secure than Vista.

Now to TJ - 100% correct - if people would just browse wisely on an up to date computer with a good AV solution and hardware firewall we would all be much better off.

Again - just do it!

Posted by: Master Guru | April 3, 2007 5:29 PM | Report abuse

Who are you calling a freak with a half a brain? Them there's fight'n words Master Guru!

Posted by: Anonymous | April 3, 2007 5:54 PM | Report abuse

It's an XP issue, not a Vista Issue.

US users get access to a free phone number to sort out this problem, everybody else has to phone up a national rate number to ask for the hotfix.

Posted by: FreewheelinFrank | April 4, 2007 3:05 AM | Report abuse


MS have now put the hotfix on the web page.

Posted by: Anonymous | April 4, 2007 3:08 AM | Report abuse

Master Guru ... if you think that telling 80% of the PC users to go out and buy a new computer so they can run Vista is a rational piece of advice .. I don't.
And perhaps you didn't read the guidelines for posts here .. "freak", "half a brain" .. not exactly appropriate for this discussion.

Posted by: linux user | April 4, 2007 7:51 AM | Report abuse

I agree. Most of the computers out there wont even run XP , never mind Vista. There are axcellent Linux distributions that can run secure, up-to-date operating systems on just about any computer, with firewalls and AV packages.
This is about security. MS can't deliver it for most of the systems on-line today. Teeling people to get Vista isn't a practical solution. Telling them to get up to date with a secure OS is.

Posted by: DaveB | April 4, 2007 10:22 AM | Report abuse

@Master Guru:
>>I see this malicious code does not run on Vista/IE7.

I see this malicious code does not run *through* IE7 due to its Protected Mode.

However, I also see this malicious code runs *on* Vista just fine.

>>Everyone asked and asked and asked and complained for more security, so for goodness sakes, use it!

No, what we asked for was *better* security, not just "more".

@Rocket Surgeon:
>>The real dangers are from trusted websites, not those hosted in Romania or Russia, China, etc.

No, the real danger is that still, even with IE7, all websites are in essence trusted -- by Microsoft's default policy decisions -- to run unknown code.

Posted by: Mark Odell | April 4, 2007 10:38 AM | Report abuse

I see once again the linux freaks are lerching, standing by, unapologetically promoting Linux as a full answer to a few problems in other OS's, which is just not true.

I said Vista because RealTek and Vista did not and still are not getting along. There is no reason why older motherboards with the many versions of AC97 should not work OS independent, but RealTek has forced this issue and is looking to sell more hardware at the expense of us are many other hardware makers.

The issue is directly related to RealTek. Again, when RealTek wants to play nice, the issues will be resolved.

Posted by: Master Guru | April 4, 2007 8:14 PM | Report abuse

it's interesting that someone who was promoting that we all move to Vista would then make the comment "but RealTek has forced this issue and is looking to sell more hardware at the expense of us are many other hardware makers."

This is after MS have found themselves in court again because they have promoted upgrading to Vista and people find that their machines will barely run .. even on "Vista Ready" systems. They have to buy more hardware.

Posted by: linux user | April 5, 2007 7:40 AM | Report abuse

Master Guru ... perhaps you can explain why Windows fans always resort to personal attacks.

Using terms like "freaks" doesn't strengthen your position as either a "Master" or a "Guru".

Posted by: DaveB | April 5, 2007 11:29 AM | Report abuse

Dave, attacking anything non-windows is a MS trait that sems to have rubbed off onto windows users.

Posted by: Alun | April 5, 2007 12:00 PM | Report abuse

Does this apply to Vista?

Posted by: Dennis | April 5, 2007 12:51 PM | Report abuse

Dennis ... see this from Mark Odell's post

However, I also see this malicious code runs *on* Vista just fine.

Posted by: DaveB | April 5, 2007 2:07 PM | Report abuse

Let me restate my lerching comment:

.....oh wait, you did a great job of arguing my point.....but.....make a valid argument please.

If I leave my window open, the rug gets wet..if I turn off protection, I may get a virus......gimme a break.......the answer is not what if stuff my head up my ass and do something stupid........the answer is come up for breath.

Posted by: Master Guru | April 5, 2007 10:26 PM | Report abuse

OhioMC -- It's not a matter of user installed "fancy" cursors. The standard windows "wait" or "working" cursors, such as the default hourglass, are .ani animated cursors.

Why is there so much discussion of peripheral "philosophical" issues, and none of how this thing works and means of mitigation of this specific vulnerability?

Posted by: Jim Pivonka | April 7, 2007 3:09 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company