Vulnerability in Windows Animated Cursor Handling

A security vulnerability in how Windows renders cursors and icons is being investigated by Microsoft, this vulnerability affects Windows 2000, 2003, Windows XP, and Windows Vista, but, if you already have IE7, you should be okay as the protected mode will protect you. Also, if you use Outlook 2007 you are okay as it uses Microsoft Word to display email messages.

Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources. Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability. Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks. Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. Source: Microsoft Security Advisory (935423) Vulnerability in Windows Animated Cursor Handling

Microsoft suggests reading your email in plain text as a work around.

Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.

Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability.

Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

The changes are applied to the preview pane and to open messages.

Pictures become attachments so that they are not lost.

Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

McAfee Avert Labs Blog has posted a video here.