Comments on: Windows Zero-day “Animated Cursor” Vulnerability

By: TheMatt

TheMatt — Sat, 07 Apr 2007 02:00:14 +0000

As far as I know, the term “zero-day” applies the time between patch release and public knowledge. If exploit code is publicly released before a patch for it is released. This interpretation is backed up by an admittedly shaky Wikipedia article.

I guess the point I got from this news is that it doesn’t really matter when the vendor learns of a vulnerability…what’s more important is the proximity of public knowledge of the vulnerability, working exploit code, and the release of a patch to fix the vulnerability. In this case, the advanced notice that Microsoft received from a responsible researcher was squandered when they failed to proactively release a patch before proof-of-concept code showed up in the wild and the vulnerability became public…and now it can be actively exploited until everyone’s Windows Update will grab the patch. And even then, autonomous worms will continue to propagate by this exploit when they can.

Also, it’s important to note that “patch released” does not mean “vulnerability negated.” Any unpatched systems will still be vulnerable…and we all know that all manner of people don’t know or care to update their systems. That’s why a clean, unpatched Windows install stays uninfected for mere minutes when connected to the public Internet.

By: Ursula

Ursula — Fri, 06 Apr 2007 23:27:13 +0000

my laptop hasn’t been the same since this FIX was forced on my system. What a joke. It moved system32 function of my AVG grisoft software so now my laptop is not protected with an antivirus. And the fix Microsoft suggests is another patch that has to do with some audio crap that has nothing to do with my machine. I am so mad I could scream.

By: links for 2007-04-04 at Baron VC

links for 2007-04-04 at Baron VC — Wed, 04 Apr 2007 20:22:59 +0000

[...] Windows Zero-day “Animated Cursor” Vulnerability Animated cursors? Hello? One of the reasons I love these guys (from afar). (tags: windows microsoft) [...]

By: Mackenzie

Mackenzie — Tue, 03 Apr 2007 01:46:04 +0000

Doesn’t zero-day mean the exploit is made public with “zero days of warning” to the company in charge (in this case, Microsoft)? I’m pretty sure the day-count goes by when the company (or development team) is alerted to the issue, not when they get around to patching it. It wouldn’t exactly be a vulnerability if it’s announced after the patches are already out. Hey, Microsoft knew about the MS Word issues for months without patching them.

By: TheMatt

TheMatt — Tue, 03 Apr 2007 01:35:38 +0000

Even if it was announced by ZDNet last week, that’s still significantly later than December 20th (which was when Microsoft was first made aware of this vulnerability by an independent researcher). This puts it solidly in the realm of the “zero-day” definition. Proof-of-concept code is out in the wild well before Microsoft’s patch is rolled out.

By: Mackenzie

Mackenzie — Mon, 02 Apr 2007 23:33:34 +0000

If this was announced by ZDNet last week, I’m pretty sure it’s disqualified from being called “zero-day.”