Help - Search - Members - Calendar
Full Version: Vulnerability In Windows Animated Cursor Handling
BleepingComputer.com > Security > Breaking Virus & Security News
   
quietman7
Mar 30 2007, 06:30 AM
QUOTE
Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7...
nist.gov

Microsoft Security Advisory (935423)
harrywaldron
Mar 30 2007, 02:49 PM
Some additional links are noted below:

ANI based Trojans - Exploit Windows Animated Cursor handling

New trojans have surfaced that exploit a vulnerability in Windows animated cursor handling. This malware uses the ANI extension which has been rarely manipulated by malware in the past. Corporate admins should add ANI to their email blocking lists.

Users should be cautious with all HTML based email (use plain text if possible), They should also be careful to only visit trusted and mainstream websites. The ANI malware can hide within HTML code. This vulnerability in Windows will lead to a crash of the security system so that other malware will be downloaded and installed on the infected system.

Microsoft Security Advisory (935423) - Vulnerability in Windows Animated Cursor Handling
http://www.microsoft.com/technet/security/...ory/935423.mspx

Other Security Advisories
http://secunia.com/advisories/24659/
http://www.avertlabs.com/research/blog/?p=230
http://www.avertlabs.com/research/blog/?p=233
http://asert.arbornetworks.com/2007/03/any...uld-infect-you/
http://research.eeye.com/html/alerts/zeroday/20070328.html
http://www.us-cert.gov/current/current_activity.html#WINANI
http://www.kb.cert.org/vuls/id/191609

AV Vendors - note Trend is reporting a 2nd variant
http://vil.nai.com/vil/content/v_141860.htm
http://www.trendmicro.com/vinfo/virusencyc...%5FANICMOO%2EAX
http://www.trendmicro.com/vinfo/virusencyc...%5FANICMOO%2EAV
http://www.sophos.com/sl/va/security/analy...rojanimoou.html
http://www.f-secure.com/v-descs/exploit_w32_ani_c.shtml

QUOTE
A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to take complete control of an affected system. This issue is due to a memory corruption error when rendering malformed cursors, animated cursors or icons, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into visiting a malicious web page or viewing an email message containing a specially crafted ANI file.
quietman7
Apr 2 2007, 07:42 AM
Microsoft to release update for ANI vulnerability on 4/03/07

QUOTE
Microsoft has announced that it will release an update for the ANI vulnerability on Tuesday the 3rd of April. This is a week early as they usually release security patches on every second Tuesday of the month but as there is an increasing activity of sites and malware using the ANI vulnerability, they decided to release it early.

http://www.f-secure.com/weblog/archives/ar...7.html#00001159
jgweed
Apr 2 2007, 08:54 PM
MS was informed of this flaw in December. However, the flaw appears now to be actively exploited:

"For the past week, criminals been exploiting the vulnerability, which stems from a flaw in the way that Windows renders animated cursor files (to conceptualize this built-in capability, think of cute mouse arrows that leave a trail behind when you move them). By convincing a Windows user to open a specially crafted e-mail or to visit a Web site that is currently hosting the exploit, attackers can take complete control over almost any Windows computer in use today."

http://blog.washingtonpost.com/securityfix...ml?nav=rss_blog

Regards,
John
quietman7
Apr 3 2007, 01:42 PM
Critical MS07-017 patch released

Microsoft Security Bulletin MS07-017
Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
http://www.microsoft.com/technet/security/...n/ms07-017.mspx

Update for Windows XP (KB925902)
File Name: WindowsXP-KB925902-x86-ENU.exe
Version: 925902
Date: 4/03/07
Download link: http://www.microsoft.com/downloads/details...;displaylang=en

QUOTE
Known issues
After you install this security update on a Windows XP Service Pack 2 (SP2)-based computer, Realtek HD Audio Control Panel (Rthdcpl.exe) may not start...

http://support.microsoft.com/?kbid=925902
Gyan
Apr 4 2007, 01:22 AM


Please take note of this thread concerning this problematic update to some.

http://www.bleepingcomputer.com/forums/topic87278.html

tx
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.