A private security research outfit says it notified Microsoft about the animated cursor (.ani) code execution vulnerability since December 2006, a full four months ahead of yesterday’s discovery of Internet Explorer drive-by attacks.
According to Alexander Sotirov, chief reverse engineer at Determina, his research team discovered and reported the flaw to Microsoft last December. On January 3, 2007, Microsoft reserved CVE-2007-0038 to use in its security bulletin.
So far this year, Microsoft has shipped 16 bulletins to fix a wide swathe of software vulnerabilities, but the animated cursor bug remains unpatched.
A Redmond spokesman confirmed that Determina responsibly disclosed the details of this flaw since last year. “We have been working with Determina since their report in December to investigate the issue and develop a comprehensive update to address the issue,” the spokesman said.
So, why has it taken so long to provide protection to Windows users? Microsoft explains:
Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.
Meanwhile, Determina warns that the vulnerability is “trivially exploitable on all versions of Windows, including Vista.