14 DAY TRIAL // While Microsoft is dormant, and has been dragging its feet when it comes to produce a security update to resolve a critical vulnerability impacting Windows Animated Cursor Handling, eEye Research is delivering a cure for the malformed animated cursors plaguing Windows 2000, XP, Server 2003 and Vista. While Microsoft was well aware of the .ANI file issue since December 20 2006, over three months later, the company has still not managed to deliver a fix, or even to outline a timetable for the availability of a security update. This has given third-party developers ample chance to release a security patch.
"eEye Research has released a workaround for the zero-day vulnerability as a temporary measure for customers who have not yet installed Blink. Blink generically protects from this and other vulnerabilities without the need for updating and is available for free for personal use on all affected platforms except for Vista. This workaround is not meant to replace the forthcoming Microsoft patch, but rather as a temporary mitigation against this flaw," revealed the eEye Digital Security's Research Team.
.ANI files vulnerability across the Windows platform is generated by faulty format validation before cursors, animated cursors and icons are rendered. eEye's patch is designed to not allow the loading of .ani files outside the boundaries of %SystemRoot%. eEye has clearly emphasized that while their patch is a valid mitigation because it acts as a barrier preventing the loading of malicious animated icons and cursors, it is also a temporary solution that should not take the place of the official Microsoft patch.
"While we appreciate that these are provided to help protect customers, we do recommend that customers only apply security updates and mitigations provided by the original software vendor. This is because as the maker of the software, we can give our security updates and guidance thorough testing and evaluation for quality and application compatibility purposes. We're not able to provide similar testing for independent third party security updates or mitigations," commented Christopher Budd, a security research with Microsoft Security Response Center.