Animated cursor flaw discovered for Windows (1st Update)

Tech News

By Steve Ragan Mar 31, 2007, 16:22 GMT

There is more news surrounding the recent Microsoft disclosure of a flaw in the way .ANI files are handled. .ANI files are used by web developers and programmers to display custom cursor animations, and designs. “In order for this attack to be carried out, a user must either visit a website that contains a web page that is used to exploit the vulnerability or view a specially crafted e-mail message or e-mail attachment sent to them by an attacker,” said Adrian Stone of MSRC. The update to this story centers on some important points which again call Microsoft’s security practices into question. Alexander Sotirov, from Determina Security Research has reported that his team discovered this flaw and alerted Microsoft as far back as December, because of that Microsoft reserved CVE-2007-0038 for use in the security alert. Microsoft confirms this on their Microsoft Security Response Center blog.“We were first made aware of the vulnerability in Windows Animated Cursor Handling on December 20, 2006 when it was responsibly reported to us by a security researcher at Determina. My colleague Adrian Stone took the report and immediately began an investigation, working with Determina on the issue. We have been working on this investigation since December to fully understand the issue and have been working to develop a comprehensive update as part of our standard MSRC process. Determina has been and continues to work with us responsibly on this issue, and we thank them for helping us to protect customers.” –Christopher Budd MSRCMicrosoft has also issued and update to their Security Advisory on this issue. Remember that the original advice Microsoft gave was to read email in plain text; this is for Outlook Express, Outlook, and Windows Mail users alike. This is not an effective method of mitigation anymore according to Microsoft, “Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker. Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability.”The email method of attack is what gained the most attention, the availability of HTML based email allows for a ‘silent’ attack. There is another form of mitigation, when users of Outlook 2002 (SP1), 2003, and 2007, use MS Word to as the default email editor. Not doing so allows the attack to work in those clients because the protection only come from the preview pane, and not when you Forward, or Reply as mentioned.Other updates related to this story are the Vista issues. Microsoft maintains Vista is not affected because of Internet Explorer and the UAC. IE7 on Vista runs in Protected Mode, the MSRC says this will offset the attack by preventing it. Also on Vista, the UAC (User Account Control) will prompt the user to allow the exploit. The fact is, the UAC is just that, a prompt to allow, it will give not warning about an exploit just a question to allow the action or not. Because many users who leave the UAC enabled ignore it, this is not a stable method of protection.eEye Digital research has posted a patch for this Zero-Day attack. The program is called ‘Blink’ and is free of charge for personal use. While third parties are not recommended or supported by Microsoft, eEye is a known and respected security vendor. The program and patch are located at http://research.eeye.com/html/alerts/zeroday/20070328.html.The recent release of public exploit code on sites like Millw0rm and other forums has prompted the Internet Storm Center to raise their alert level to Yellow. That is significant because unless the risk is severe they almost never raise those levels. The last time was in March 2006, according to their website.Currently thirty-two known websites are hosting the exploit. One of those sites was used to host malicious files during the Super Bowl attacks earlier this year (bc0.cn). This is the reason many news sites claim the two attacks are related. However, this is likely false, as most of the sites might not even know they are spreading the Worms. The complete list of domains, as well as MD5 sums for router and firewall blocking are located at http://isc.sans.org/diary.html?storyid=2540Microsoft is expected to release a patch for this in the April updates.

Your Talkback on this Story

Note posts made on our older Talkback system will still show below. However, new posts can only be made via the new system (above). We will export the old comments to the new shortly. You can still comment as a guest on the new system but it also allows you to login using various social network and other accounts.

Other features coming soon.

Talkback

page: 1

RaulMar 31st, 2007 - 16:57:24

Which is the correct spelling of the witch used in the first line of the first paragraph.

Report this comment

ReaderMar 31st, 2007 - 17:00:41

I can't make sense of these sentences.

'There is another form of mitigation, when users of Outlook 2002 (SP1), 2003, and 2007, use MS Word to as the default email editor. Not doing so allows the attack to work in those clients because the protection only come from the preview pain, and not when you Forward, or Reply as mentioned.'

Report this comment

cyloMar 31st, 2007 - 17:01:45

The update to this story centers on some important points witch again call Microsoft’s security practices into question.

I agree... pointy witches!?

Report this comment

ChrisMar 31st, 2007 - 17:28:12

Sensationalist writing with typos makes for a bad article. There are so many buzz-phrases and words in here to paint MS in a bad light it's hilarious.

'The update to this story centers on some important points witch' [sic] 'again call Microsoft's security practices into question.'
-Sigh

Might as well go back to CNN.com now...

Report this comment

Easier SolutionMar 31st, 2007 - 17:37:14

Why not use FireFox instead of IE and Thunderbird instead of Outlook? Issue resolved!

Report this comment

DrJohnMar 31st, 2007 - 18:42:26

Oh no, another Microsoft/Windows security issue! Isn't it obvious that we wouldn't be having all these internet security problems if we didn't use Windows?

Report this comment

HenryMar 31st, 2007 - 20:08:58

Unfortunately Firefox & Thunderbird users can't have a false sense of security. This from the Determina Security Research website:

'...All applications that use the standard Windows API for loading cursors and icons are affected. This includes Windows Explorer, Internet Explorer, Mozilla Firefox, Outlook and others...'

Report this comment

SirronApr 1st, 2007 - 16:50:00

blah blah blah, are you sure it's a zero day...? I mean... it's all released...

Report this comment

page: 1

Tech

Animated cursor flaw discovered for Windows (1st Update)

Tech News

Your Talkback on this Story

Talkback

Latest Headlines in Tech

From Sites We Like

Latest PopEater News

Latest Cinema Blend News

Latest Tech Herald News

In Monsters and Critics

Corporate

The Fine Print