From: "Rich Gauszka" 

Well we only have another week and a half to follow Microsofts solution of
don't read emails in Microsoft products

http://www.eweek.com/article2/0,1895,2110151,00.asp

Opinion: Many operations fell short for the .ANI vulnerability to still be
unpatched today. Microsoft: Let my patches go!


There are many reasons to be disappointed in Microsoft over the .ANI
vulnerability that is the talk of the security community the last few days.
The analysis of the bug and its history speak badly of Microsoft's efforts
in many ways: The company's patching practices came up short, its security
protection technologies came up short, and its code analysis was shoddy.
There are many reasons why this should never have happened, and now we
should all be upset about it.
The most glaring problem is the fact that Microsoft was informed of this
vulnerability on Dec. 20, 2006, by Determina. It's April now and Microsoft
released no updates last month. It's possible that the company is planning
to wait for the April patch day (April 10), but my guess is that a patch
will be coming out "out of cycle" the way they did for the WMF
bug.

What can possibly take this long? Almost within hours, eEye had a
mitigation patch out that prevents cursors from loading anywhere except
%SYSTEMROOT%. This is, of course, far from perfect, but it's an effective
mitigation. Why didn't Microsoft have something like this available?

It's reasonable for Microsoft to take time testing security updates to make
sure they don't cause problems. This is a trade-off, and the fact that
sometimes there are problems anyway proves that there's always a reason to
do more testing. But when Microsoft takes several months like this to fix a
really serious bug, it runs a serious risk. It should at least have some
less-than-perfect option available for users, like eEye's patch.

If you didn't want to apply a third-party patch, and of course Microsoft
tells you that it can't endorse such things, there are steps you can take
to mitigate it. In this case the steps are unsatisfying and, in some cases,
confusing. When Microsoft tells you, "As a best practice, users should
always exercise extreme caution when opening or viewing unsolicited e-mails
and e-mail attachments from both known and unknown sources," what are
we to make of this? You can't always know an e-mail was unsolicited until
you read it. Should we stop reading e-mail until there is a patch?

--- BBBS/NT v4.01 Flag-5