A criminal group responsible for using compromised Web sites to spread malicious software have already started using the latest Microsoft flaw to install their code from at least three servers in China, security experts said on Friday. The sites are using a flaw in the way Microsoft Windows handles animated-cursor files, which the software giant acknowledged on Thursday in a security advisory. While Microsoft has stated that the attacks using the animated-cursor vulnerability in Windows appear "to be targeted and not widespread," as many as 25,000 compromised Web pages currently use JavaScript to send visitors to the malicious Chinese sites, said Andreas Marx, CEO of antivirus software testing firm AV-Test.org. "The attackers have changed the exploits, (but) the same set of websites are still affected," Marx said in an e-mail to SecurityFocus. The JavaScript code had previously used known vulnerabilities to exploit the systems of visitors to various Web sites, including the site for Super Bowl venue Dolphin Stadium, but have now transitioned over to using a vulnerability that has not been patched, Marx said. Other security researchers have found a greater number of pages apparently hosting the file. A search of Google returns more than 113,000 pages with the JavaScript attack on it, according to a blog post by McAfee researcher Craig Schmugar. Both McAfee and Marx stressed that the Google results likely include a lot of pages that have since been taken down. The animated-cursor flaw affects all versions of Windows, including Windows Vista, as well as Internet Explorer 6 and 7. http://www.securityfocus.com/
