Never Slow Down: MS07-017 ANI Exploit Activity Timeline
This ANI thing has been exploding over the past few days. Just to see why Microsoft handled this well and released an out of band patch, MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution, take a look at this activity timeline. From the first public report by malware-test on March 27 until today, the day after MS07-017 was released, you can see nearly day on day doubling or worse. This data was built from reports by third parties, including the fine folks at Websense, who have a timeline of the ANI exploit as well as some iteresting stats and breakdowns. Thanks, Dan, for sharing the data.
Now that MS07-017 is out, this may slow down in a few days. WMF did, setSlice() did, createTextRange() did. Well, they slowed down. They haven’t gone away, even just today we saw some of their use.
If you haven’t installed MS07-017 yet or you don’t have it in testing, why not? You can track info about this threat on ATLAS if you would like, as well as dozens of other threats. To show you just how effective it is, another third party, Determina, has posted a video demo of ANI vs Vista, using MetaSploit. Great demo of what this kind of attack gives you.