The more things change, the more they stay the same.
In the world of Windows vulnerabilities, that maxim proved out during the recent sweep of the animated cursor (ANI) file bug, which has more than a passing similarity to a major malware outbreak based on the late-2005 Windows Metafile (WMF) flaw.
With some researchers calling ANI the most dangerous Windows vulnerability since WMF -- and security vendors such as Websense tracking nearly 500 Web sites distributing an ANI exploit -- it seemed only natural to bring out the virtual tape and see how the two measure up.
Our take: Eerie, ain't it?
| WMF | ANI | |
|---|---|---|
| News first breaks | Dec. 28, 2005 | March 28, 2007 |
| Microsoft posts security advisory | Dec. 28, 2005 | March 29, 2007 |
| Affects | Windows 2000, Windows XP, Windows Server 2003 [Vista more than 12 months from consumer release] | Windows 2000, Windows XP, Windows 2003 Server, Vista |
| First used by | Malicious Web sites | Malicious Web sites |
| Problem cropped up/patched before? | Yes, last patched in MS05-053 (1 month before) | Yes, last patched in MS05-002 (2 years, 3 months before) |
| Spam containing exploit touts | Happy New Year! | Hot Pictures of Britney Spears! |
| Exploit construction kit released so anyone can be a cyber-cretin | Yes, within 6 days of news breaking | Yes, within 4 days of news breaking |
| Unsanctioned, unofficial third-party patches released before Microsoft's fix by | Ilfak Guilfanov | ZERT (Zeroday Emergency Response Team), eEye Digital Security, Determina |
| Microsoft patches on: | Jan. 5, 2006 | April 3, 2007 |
| Patch rated as | Critical | Critical |
| # of days between news and patch release | 8 days | 6 days |
| Microsoft releases out-of-cycle | Yes | Yes |
| Microsoft said: | "Our analysis and guidance has been consistent that although the attacks are serious, they have been fairly stable in terms of spread." -- Debby Fry Wilson, director, Microsoft Security Response Center (MSRC), Jan. 6. 2006 | "Our indications...show there is a threat for attacks against this vulnerability to increase, although we haven't seen anything widespread." -- Christopher Budd, program manager, MSRC, April 3, 2007 |
| Still used in attacks? | #11 on Kaspersky Lab's Top 20 for March 2007 | Stay tuned... |