There is more news surrounding the recent Microsoft disclosure of a flaw in the way .ANI files are handled. .ANI files are used by web developers and programmers to display custom cursor animations, and designs. “In order for this attack to be carried out, a user must either visit a website that contains a web page that is used to exploit the vulnerability or view a specially crafted e-mail message or e-mail attachment sent to them by an attacker,” said Adrian Stone of MSRC.
The update to this story centers on some important points which again call Microsoft’s security practices into question. Alexander Sotirov, from Determina Security Research has reported that his team discovered this flaw and alerted Microsoft as far back as December, because of that Microsoft reserved CVE-2007-0038 for use in the security alert. Microsoft confirms this on their Microsoft Security Response Center blog.
“We were first made aware of the vulnerability in Windows Animated Cursor Handling on December 20, 2006 when it was responsibly reported to us by a security researcher at Determina. My colleague Adrian Stone took the report and immediately began an investigation, working with Determina on the issue. We have been working on this investigation since December to fully understand the issue and have been working to develop a comprehensive update as part of our standard MSRC process. Determina has been and continues to work with us responsibly on this issue, and we thank them for helping us to protect customers.” –Christopher Budd MSRC
Microsoft has also issued and update to their Security Advisory on this issue. Remember that the original advice Microsoft gave was to read email in plain text; this is for Outlook Express, Outlook, and Windows Mail users alike. This is not an effective method of mitigation anymore according to Microsoft, “Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker. Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability.”
The email method of attack is what gained the most attention, the availability of HTML based email allows for a ‘silent’ attack. There is another form of mitigation, when users of Outlook 2002 (SP1), 2003, and 2007, use MS Word to as the default email editor. Not doing so allows the attack to work in those clients because the protection only come from the preview pane, and not when you Forward, or Reply as mentioned.
Other updates related to this story are the Vista issues. Microsoft maintains Vista is not affected because of Internet Explorer and the UAC. IE7 on Vista runs in Protected Mode, the MSRC says this will offset the attack by preventing it. Also on Vista, the UAC (User Account Control) will prompt the user to allow the exploit. The fact is, the UAC is just that, a prompt to allow, it will give not warning about an exploit just a question to allow the action or not. Because many users who leave the UAC enabled ignore it, this is not a stable method of protection.
eEye Digital research has posted a patch for this Zero-Day attack. The program is called ‘Blink’ and is free of charge for personal use. While third parties are not recommended or supported by Microsoft, eEye is a known and respected security vendor. The program and patch are located at http://research.eeye.com/html/alerts/zeroday/20070328.html .
The recent release of public exploit code on sites like Millw0rm and other forums has prompted the Internet Storm Center to raise their alert level to Yellow. That is significant because unless the risk is severe they almost never raise those levels. The last time was in March 2006, according to their website.
Currently thirty-two known websites are hosting the exploit. One of those sites was used to host malicious files during the Super Bowl attacks earlier this year (bc0.cn). This is the reason many news sites claim the two attacks are related. However, this is likely false, as most of the sites might not even know they are spreading the Worms. The complete list of domains, as well as MD5 sums for router and firewall blocking are located at http://isc.sans.org/diary.html?storyid=2540
Microsoft is expected to release a patch for this in the April updates.
RaulMar 31st, 2007 - 16:57:24
Which is the correct spelling of the witch used in the first line of the first paragraph.
Report this comment