Quantcast
PC World: Technology Advice You Can Trust
Search
Browse by Topic
Subscribe to magazine

Magazine

Subscribe & Get
a Bonus CD

Customer Service

Audio & Video Business Center Cameras Cell Phones & PDAs Desktop PCs Gadgets Gaming HDTV Laptops Macs & iPods Monitors Printers Software Spyware & Security Storage Upgrading Windows Vista & XP
Resource Centers
Asus Notebook Center
Intel Technology Center
CDW Solution Center
Lenovo Laptop Showcase
Try It Free
White Paper Library
Webcast Library
Most Popular Search Terms
Most Popular Products
Most Popular Downloads
Today at PC World
Today @ PC World
News, opinion, and links from the PC World staff.
Recent entries in this blog:
Monday, April 09, 2007 11:02 AM PT Posted by Erik Larkin

Asus Among 46,000 Attack Sites Hitting .ANI Flaw

Clarification: Confused by the different numbers reported for browser-busting sites hitting the .ani flaw? Like the 46,000 sites I cite here, v. the 2,000 or so reported in this IDG news story?

The difference is this: The larger number is a total of affected sites, which might direct a hapless surfer to a site that contains the .ani exploit but not actually host the system-busting code. The 2,000 number reported by Websense is the number of sites that directly contain the exploit.

The 46,000+ number is the one to worry about, if you ask me. If you browse any of them with a vulnerable computer, you probably won't much care whether that site had the exploit or just sent you to one that did. You'll be owned either way.

--------

Online attackers are jumping all over the critical Windows Vista, XP and 2000 .ani flaw that can surrender control of your computer if you simply view a site containing one of the poisoned animated cursor files.

According to Andreas Marx of AV Test, he had to stop counting after finding 46,000 different URLs that together serve up almost 3,000 different corrupted .ani files. One of those sites is reportedly that of Asus, popular motherboard manufacturer.

A blog at Dynamoo reports finding an inserted iframe leading to the .ANI exploit on the company's asus.com.tw site, and Kaspersky says it confirmed multiple such reports. Ryan Naraine has more on the Asus site at his Zero Day blog.

Microsoft released a rare early patch last week for the flaw via Automatic Updates (also available from security bulletin MS07-017). But according to Marx, the rushed patch broke some critical software.

In an e-mail to Microsoft, Marx wrote that every company in Germany has to use ElsterFormular software to declare their monthly or quarterly taxes. First quarter taxes have to be declared by tomorrow, he wrote - but the software won't run on computers with the .ANI security patch.

Let's hope that Microsoft releases a fix for the fix soon, since German companies can be fined for late tax declarations. But this snafu is a great example of Microsoft's bind when it comes to patches.

The company regularly takes heat for a seemingly slow patch cycle. The .ani was reported back in December, for instance.

Redmond's typical response is that QA testing for the huge range of potential problems - like breaking critical tax software - takes time. True - but that delay gives online crooks time to find and attack the bugs. With, say, 46,000 attack sites around the world.

There's no easy solution here. Microsoft did the right thing releasing an early patch for a critical flaw under widespread attack. But it's also clear that there's merit to its claim that it needs to step carefully to avoid breaking essential apps.

Maybe Redmond needs to find a way to release beta patches for quick security fixes that can be followed by more fully tested final patches. Or maybe it needs to finally forget about legacy compatibility, toss every bit of potentially buggy existing Windows code, and start from scratch for their next OS.

Comments
Post a comment Post a comment
Recent Posts
Tethering May Return to iPhone, Says Report
iPhone Bad News Roundup
iPhone Girl Becomes Internet Superstar
Amazon: No New Kindle This Year
DNC: Text Messaging May Have Big Future in Politics
Ready to Try Out IE8? Better Read This First
Steve Jobs's Obituary Published Prematurely
Archives
View posts from:
 

PC World's Marketplace

PC World's Free Whitepapers

QUICK LINKS: cheap laptops cell phones laser printers HDTV reviews LCD TV Plasmas digital cameras laptop reviews security antivirus windows vista reviews digital camera reviews inexpensive desktop LCD wide screen monitors
tech news tech blogs community & forums laptop prices software reviews downloads
About UsContact UsAdvertiseASME GuidelinesNewslettersFAQIDG InternationalMagazine Customer Service
© 1998-2008, PC World Communications, Inc.Terms of Service AgreementPrivacy PolicyCommunity Standards
RSS FeedsXML

Visit other IDG sites: