Microsoft will patch the increasingly dangerous Windows animated cursor vulnerability tomorrow, a week early, a spokesman of the company's security team said Sunday.
"Microsoft originally planned to release the update on Tuesday, April 10, as part of its regular monthly release of security bulletins," the spokesman said in an e-mail. "However, Microsoft is aware of the existence of a public attack utilizing the vulnerability, [and] since testing has been completed, Microsoft will release the update ahead of schedule to help protect customers."
The announcement followed a weekend of escalating warnings from security organizations and reports from China's Internet Security Response Team (CISRT) of a worm in the wild using the unpatched vulnerability. Symantec and other antivirus companies confirmed the existence of the Fubalca worm Sunday.
Over the weekend, a number of events showed the speed with which attackers were moving. First, exploit source code was publicly posted on a security mailing list, then McAfee said it had seen at least one spam run that linked to the exploit, and finally, Websense Inc. claimed that it had spotted more than 100 malicious sites spreading the exploit, a tenfold increase over the day before.
Microsoft's decision to push the patch out tomorrow may have come just in time. This weekend, Ken Dunham, director of VeriSign's iDefense rapid-response team, said, "We are in the eye of the storm. Spam run-type attacks pose significant danger to enterprises as the workweek resumes. Popularization of the exploit is under way amongst multiple hackers, and it's trivial to use and modify.
"This is undoubtedly a serious issue that will persist for many months if not years, attacking vulnerable computers," said Dunham.
On Saturday, Microsoft's Security Response Center (MSRC) added Windows Server 2003 Service Pack 2 to the long list of Windows editions affected by the bug. Sunday, Christopher Budd, an MSRC program manager, acknowledged that attacks leveraging the flaw had increased. "In light of these points and based on customer feedback, we have been working around the clock to test this update," Budd said on the MSRC blog.
The emergency fix, pegged as MS07-017, will be released through Microsoft's normal channels, including Automatic Updates, Windows Update and the enterprise-oriented Windows Server Update Services. MS07-017 will be only the third out-of-cycle patch from Microsoft in more than two years.