ANI Patch: How Do You Think Microsoft Handled It?
Monday, April 9th, 2007Last week, Microsoft released an out-of-band patch for a vulnerability affecting the animated cursor, also known as ANI.
The vulnerability was identified by Determina back in December, who, in turn notified Microsoft. For some, like eWeek’s Joe Wilcox, the four month timeframe to get out the patch is unreasonably long.
Wilcox compares the ANI vulnerability to a Windows metafile bug that created problems back in late December 2005/early January 2006. “Both flaws affect the Windows graphics subsystem—or GDI—and were exploited without patches being available.” Both flaws also led to the release of several other fixes to the GDI. However, the patch for the WMF vulnerability was available in weeks, not days.
Microsoft provided there own explanation of the process involved in releasing the patch. Based on some initial feedback from SANS, the extra testing may pay off in ensuring the patch is effective and doesn’t cause too many headaches. Larry Seltzer, another eWeek columnist, was one of many supporting Microsoft’s decision to release the patch ahead of tomorrow’s regular cycle, although he questioned the additional GDI patches being released with it. “By including it with this many other fixes they make it harder to test. Perhaps they should have left the rest of the update for next week,” Seltzer said.
Mike Rothman, in one of his Daily Incite posts last week, didn’t necessarily feel Microsoft handled the ANI vulnerability as well as they could, but found several signs of improvement in how Microsoft is handling issues in general. Like Mike, I found Rob Graham from Errata’s explanation to be one of the more reasoned perspectives on the ANI vulnerability.
What did you think of Microsoft’s effort? How do you think they could improve?