Vulnerability In Windows Animated Cursor Handling

Vulnerability In Windows Animated Cursor Handling Patch by MS released on 4/03/07 - update ASAP

#1 quietman7

Bleepin' Janitor

Group: Global Moderator
Posts: 25,518
Joined: 09-July 05
Gender:Male
Location:Virginia, USA

Posted 30 March 2007 - 06:30 AM

Quote

Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7...

nist.gov

Microsoft Security Advisory (935423)

This post has been edited by quietman7: 03 April 2007 - 01:42 PM

Microsoft MVP - Consumer Security 2007-2012

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#2 harrywaldron

Security Reporter

Group: Members
Posts: 509
Joined: 10-April 04
Gender:Male
Location:Roanoke, Virginia

Posted 30 March 2007 - 02:49 PM

Some additional links are noted below:

ANI based Trojans - Exploit Windows Animated Cursor handling

New trojans have surfaced that exploit a vulnerability in Windows animated cursor handling. This malware uses the ANI extension which has been rarely manipulated by malware in the past. Corporate admins should add ANI to their email blocking lists.

Users should be cautious with all HTML based email (use plain text if possible), They should also be careful to only visit trusted and mainstream websites. The ANI malware can hide within HTML code. This vulnerability in Windows will lead to a crash of the security system so that other malware will be downloaded and installed on the infected system.

Microsoft Security Advisory (935423) - Vulnerability in Windows Animated Cursor Handling
http://www.microsoft.com/technet/security/...ory/935423.mspx

Other Security Advisories
http://secunia.com/advisories/24659/
http://www.avertlabs.com/research/blog/?p=230
http://www.avertlabs.com/research/blog/?p=233
http://asert.arbornetworks.com/2007/03/any...uld-infect-you/
http://research.eeye.com/html/alerts/zeroday/20070328.html
http://www.us-cert.gov/current/current_activity.html#WINANI
http://www.kb.cert.org/vuls/id/191609

AV Vendors - note Trend is reporting a 2nd variant
http://vil.nai.com/vil/content/v_141860.htm
http://www.trendmicro.com/vinfo/virusencyc...%5FANICMOO%2EAX
http://www.trendmicro.com/vinfo/virusencyc...%5FANICMOO%2EAV
http://www.sophos.com/sl/va/security/analy...rojanimoou.html
http://www.f-secure.com/v-descs/exploit_w32_ani_c.shtml

Quote

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to take complete control of an affected system. This issue is due to a memory corruption error when rendering malformed cursors, animated cursors or icons, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into visiting a malicious web page or viewing an email message containing a specially crafted ANI file.

Microsoft Security Journal

#3 quietman7

Bleepin' Janitor

Group: Global Moderator
Posts: 25,518
Joined: 09-July 05
Gender:Male
Location:Virginia, USA

Posted 02 April 2007 - 07:42 AM

Microsoft to release update for ANI vulnerability on 4/03/07

Quote

Microsoft has announced that it will release an update for the ANI vulnerability on Tuesday the 3rd of April. This is a week early as they usually release security patches on every second Tuesday of the month but as there is an increasing activity of sites and malware using the ANI vulnerability, they decided to release it early.

http://www.f-secure.com/weblog/archives/ar...7.html#00001159

Microsoft MVP - Consumer Security 2007-2012

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 jgweed

Forum Addict

Group: Global Moderator
Posts: 27,613
Joined: 11-April 04
Gender:Male
Location:Chicago, Il.

Posted 02 April 2007 - 08:54 PM

MS was informed of this flaw in December. However, the flaw appears now to be actively exploited:

"For the past week, criminals been exploiting the vulnerability, which stems from a flaw in the way that Windows renders animated cursor files (to conceptualize this built-in capability, think of cute mouse arrows that leave a trail behind when you move them). By convincing a Windows user to open a specially crafted e-mail or to visit a Web site that is currently hosting the exploit, attackers can take complete control over almost any Windows computer in use today."

http://blog.washingtonpost.com/securityfix...ml?nav=rss_blog

Regards,
John

Whereof one cannot speak, thereof one should be silent.

#5 quietman7

Bleepin' Janitor

Group: Global Moderator
Posts: 25,518
Joined: 09-July 05
Gender:Male
Location:Virginia, USA

Posted 03 April 2007 - 01:42 PM

Critical MS07-017 patch released

Microsoft Security Bulletin MS07-017
Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
http://www.microsoft.com/technet/security/...n/ms07-017.mspx

Update for Windows XP (KB925902)
File Name: WindowsXP-KB925902-x86-ENU.exe
Version: 925902
Date: 4/03/07
Download link: http://www.microsoft.com/downloads/details...;displaylang=en

Quote

Known issues
After you install this security update on a Windows XP Service Pack 2 (SP2)-based computer, Realtek HD Audio Control Panel (Rthdcpl.exe) may not start...

http://support.microsoft.com/?kbid=925902

Microsoft MVP - Consumer Security 2007-2012

Member of UNITE, Unified Network of Instructors and Trusted Eliminators