Microsoft Sees Double (Security Tuesdays)

The double patch days kind of negate any goodwill for March, when Microsoft released no security fixes. Tough break.

Among the zero-day nasties, the ANI exploit is right up there with WMF. Both vulnerabilities affect Windows graphics subsystems, and Microsoft released out-of-band patches for each.

A pretty good sign of really bad zero-day vulnerability is when Microsoft recommends reading e-mail in plain text as a workaround for an exploit, as it did with ANI. E-Commerce partners sending out newsletters and spam marketing e-mail probably just love that advice.

Outlook 2007 escaped ANI's wrath because Internet Explorer is no longer the HTML-rendering engine. Ha, finally Microsoft can explain away the perplexing HTML-rendering decision as a security mechanism. Why didn't Microsoft make the defense when everybody was asking why back in January?

When I see ANI, I read it as an-ee, like the princess' nickname for Anakin Skywalker from "Star Wars." What has become of both Anees?

Animated cursors have been near the top of my do-not-download list for sometime, although there often isn't a choice. Emoticons are high up there, too. Basically, any download that appeals to kids or teens is good candidate for trouble.

Pretty much everybody should install the ANI patch as soon as possible, which is going to be a pain for some IT organizations. Any patch mucking with graphics is sure to cause compatibility problems with something. Those IT organizations choosing to deploy, whether or not they test first, get to go through the process again next Tuesday.

Since we're heaping on the bad news, Microsoft has tweaked its life-cycle policy to accommodate Microsoft Update:

"With the recent introduction of Microsoft Update, it is now possible for Microsoft to modify the Extended Support phase to include security updates via Microsoft Update for the full length of Extended Support. For customers, this results in the availability of all security downloads for products in Extended Support from Microsoft Update for at least an additional three years."

The change means that IT organizations already besieged by patch management—and pesky Automatic Update sneaking untested fixes on some end-user PCs—now need to watch more carefully for unfiltered Extended Support patches. Surely, there is ultimate benefit here, but not without a little pain first.

What's that saying about no pain, no gain?

Related Posts:

• Microsoft Posts ANI Patch, Security Watch, April 3, 2007
• ANI Exploit Tries the 'Hot Pictures of Britney Spears' Shtick, Security Watch, April 3, 2007
• Widespread ANI Attack Coming Out of Asia/Pacific, Security Watch, April 3, 2007
• Windows ANI Workaround Updated as Exploit Mutates, Security Watch, April 2, 2007
• Microsoft Jumps Schedule to Patch ANI, Security Watch, April 2, 2007
• ANI Zero Day Takes New Turns to the Uber-Nasty, Security Watch March 31, 2007
• ANI Exploit Tied to Hacked Super Bowl Site, Security Watch, March 30, 2007
• Workaround Out for Windows ANI Zero Day, Security Watch, March 30, 2007
• Beware the Windows Animated Cursor, Says MS, Security Watch, March 29, 2007
• Drive-by Exploit Plants Trojans onto Fully Patched Windows Systems Running IE, Security Watch, March 29, 2007
• Vista Security by the Numbers, Microsoft Watch, March 26, 2007