Microsoft confirms animated-cursor flaw微软正式公布动态链接（animated-cursor）漏洞

  翻译不准备的地方，请大家指正，谢谢！

＝＝＝＝＝＝

Microsoft confirms animated-cursor flaw

微软正式公布动态链接（ animated-cursor ）漏洞

Published: 2007-03-29

 

Microsoft confirmed on Thursday that attacker could take control of a user's system by exploiting a flaw in the way the company's Windows software handles animated-cursor files.

本周四，微软公司发表声明：黑客能够通过一个漏洞入侵系统，通过这个漏洞入侵者可以绕过系统直接调用动态链接文件。

Animated cursors are looping images that replace the standard pointer on Windows systems. The flaw affects how all Microsoft operating systems--including the latest versions of Windows 2000, Windows XP, Windows Server 2003 and Windows Vista--handle animated-cursor files, according to the software giant. There does not seem to be any evidence that the flaw is being used in a real-world attack, but Microsoft gave its standard rundown on the possible vectors of attack.

动态链接是循环镜像机制，在 Windows 系统中他用来复位标准指针。这个漏洞对几乎所有的操作系统——包括最新的操作系统 Windows 2000,Windows XP,Windows Server 2003 和 Windows Vista ，这些系统都是通过动态链接库来管理系统的。目前尚未有明显的证据表明入侵者利用这个漏洞入侵过系统，但是微软公司依然发布了这个漏洞。

"Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code," Microsoft said in its advisory. "While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type."

微软的发言人表示：“通过浏览网页，预览或者阅读一些特殊的信息，或者打开 Email 附件，都有可能运行这些不安全代码。动态链接与 .ani 文件相互联系，所以黑客不仅仅可以通过动态链接入侵系统，也可以通过其他与动态链接相关的信息入侵系统。”

McAfee reported the vulnerability on Wednesday after finding a description of the flaw posted to an unidentified message board. The company later received a malicious file that used the animated-cursor vulnerability to compromise the user's system. On Windows Vista, the exploit causes the system to endlessly crash and restart, the antivirus firm said on Thursday.

McAfee 在周三的系统漏洞报告中指出：公司捕获到了黑客通过动态链接漏洞攻击危及用户系统。反病毒公司表示：在 Windows Vista 系统中，动态链接攻击导致 Vista 系统崩溃并重启。

Microsoft released Internet Explorer 7 in October, significantly improving the security of the browser. While McAfee stated that the exploit affects Windows XP systems with Service Pack 2 installed running either Internet Explorer 6 or 7, Windows Vista systems run Internet Explorer 7 in protected mode and so are not affected, Microsoft said.

在 10 月份即将推出的 IE 7 浏览器时，微软公司主要强调这个版本浏览器的安全性。然而 McAfee 表示安装了 IE 6 或 IE 7 Windows XP SP2 的系统依然会受攻击。但是微软公司声明在 Windows Vista 系统中运行 IE 7 将不会受到动态链接攻击。

Microsoft stated that the company would have to issue a security update to patch the issue.

微软公司表示为了系统的安全，用户需尽快更新他们的安全补丁。