It’s real, it’s not a “deja vù”. Yesterday, March 29, a new 0-day exploit with the ANI file format was discovered in the wild. This vulnerability is due to the way Microsoft Windows handles the animated cursor. Microsoft has released an advisory.

Affected systems include Win2k SP4, XP SP2, Server 2003 and Vista. Animated icons embedded in web page or emails can be used to exploit it, so be careful with emails received these days. Internet Explorer 7 in Vista with Protection Mode is protected from active exploitation, but Outlook is vulnerable.

This vulnerability seems to be like the old ANI vulnerability (MS05-002), and probably exploits the same failure but with another technique. Microsoft released a patch for the old ANI vulnerability (MS05-002), but it didn’t fix the underlying cause, leaving a way to exploit it again.