From: mike 


fwiw, on the Avast AV forum, it has been noted that the Avast AV will
intercept some of this exploit.
http://forum.avast.com/index.php?topic=27481.0

Would be nice, though, if Microsoft were more concerned about the security
of the PCs it has taken ownership of.

 /m




On Sun, 1 Apr 2007 17:08:29 -0400, "Rich Gauszka"
 wrote:

>Well we only have another week and a half to follow Microsofts solution of
>don't read emails in Microsoft products
>
>http://www.eweek.com/article2/0,1895,2110151,00.asp
>
>Opinion: Many operations fell short for the .ANI vulnerability to still be
>unpatched today. Microsoft: Let my patches go!
>
>
>There are many reasons to be disappointed in Microsoft over the .ANI
>vulnerability that is the talk of the security community the last few days.
>The analysis of the bug and its history speak badly of Microsoft's efforts
>in many ways: The company's patching practices came up short, its security
>protection technologies came up short, and its code analysis was shoddy.
>There are many reasons why this should never have happened, and now we
>should all be upset about it.
>The most glaring problem is the fact that Microsoft was informed of this
>vulnerability on Dec. 20, 2006, by Determina. It's April now and Microsoft
>released no updates last month. It's possible that the company is planning
>to wait for the April patch day (April 10), but my guess is that a patch
>will be coming out "out of cycle" the way they did for the WMF bug.
>
>What can possibly take this long? Almost within hours, eEye had a mitigation
>patch out that prevents cursors from loading anywhere except %SYSTEMROOT%.
>This is, of course, far from perfect, but it's an effective mitigation. Why
>didn't Microsoft have something like this available?
>
>It's reasonable for Microsoft to take time testing security updates to make
>sure they don't cause problems. This is a trade-off, and the fact that
>sometimes there are problems anyway proves that there's always a reason to
>do more testing. But when Microsoft takes several months like this to fix a
>really serious bug, it runs a serious risk. It should at least have some
>less-than-perfect option available for users, like eEye's patch.
>
>If you didn't want to apply a third-party patch, and of course Microsoft
>tells you that it can't endorse such things, there are steps you can take to
>mitigate it. In this case the steps are unsatisfying and, in some cases,
>confusing. When Microsoft tells you, "As a best practice, users should
>always exercise extreme caution when opening or viewing unsolicited e-mails
>and e-mail attachments from both known and unknown sources," what are we to
>make of this? You can't always know an e-mail was unsolicited until you read
>it. Should we stop reading e-mail until there is a patch?
>
>

--- BBBS/NT v4.01 Flag-5