MS07-017 Released

Hello everyone,

This is Christopher Budd. I wanted to follow up on my posting from Sunday night to let you know that we’ve released the security update, MS07-017, that addresses the vulnerability in Windows Animated Cursor Handling.

As I noted on Sunday night, we originally planned to release the update on Tuesday, April 10, 2007 as part of our regular monthly release of security bulletins. We have been monitoring the situation throughout and our indications, and those of our MSRA partners, show there is a threat for attacks against this vulnerability to increase although we haven’t seen anything widespread. Based on customer feedback and our teams’ ability to complete testing in an expedited manner by working around the clock, we’ve gone ahead and released this update early to help better protect customers from this threat.

We are encouraging customers to test and deploy this update as quickly as possible as well as ensure that you have the latest signatures and updates for your security products such as antivirus. Home users or Small Business Users who have followed best practices and configured Automatic Updates (AU) will automatically receive this update and do not need to take any additional action.  For Business Users those of you who are using Windows Server Update Services (WSUS) and Systems Management Server (SMS) can use these to automatically detect and deploy the update.

We noted in our original advisory that attacks against this vulnerability affect all supported versions of Windows and Windows Server, including Windows Vista, and have been web-based and e-mail based. If you are using Windows Vista, the Internet Explorer 7 protected mode provides additional protections against web-based attacks. Also, if you’re using Outlook 2007, you’re protected against e-mail based attacks. And running as a standard user further protects you by limiting the attacker’s code with the same limitation on the logged-on user. We call these out in the Mitigating Factors section of the security bulletin MS07-017.

We’ve gotten some questions asking if today’s out of band release means we’re cancelling our regularly scheduled April release, scheduled for April 10, 2007. The answer to that is no: we are still planning to release information about any updates to be released on April 10, 2007 through our Advance Notification page on Thursday April 5, 2007.

We will be discussing today’s bulletin during our regularly scheduled April 2007 TechNet Security Bulletin webcast. This month, the webcast will be held Wednesday, 11 April 2007 11:00 AM (GMT-08:00) PT. You can register for it here:

Finally, a reminder for your testing, remember that as part of our regular process, we document any known issues in the Master Knowledge Base article referenced in the “Caveats” section of the security bulletin. So be sure to check Microsoft Knowledge Base Article 925902 for any known issues with MS07-017. As of this morning, there is a single known issue affecting Windows XP SP2 users who have a Realtek HD Audio Control Panel installed for which there is a hotfix available.



*This posting is provided “AS IS” with no warranties, and confers no rights.*