Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vulnerability In Windows Animated Cursor Handling


  • Please log in to reply
5 replies to this topic

#1 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:51 PM

Posted 30 March 2007 - 06:30 AM

Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7...

nist.gov

Microsoft Security Advisory (935423)

Edited by quietman7, 03 April 2007 - 01:42 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#2 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:03:51 PM

Posted 30 March 2007 - 02:49 PM

Some additional links are noted below:

ANI based Trojans - Exploit Windows Animated Cursor handling

New trojans have surfaced that exploit a vulnerability in Windows animated cursor handling. This malware uses the ANI extension which has been rarely manipulated by malware in the past. Corporate admins should add ANI to their email blocking lists.

Users should be cautious with all HTML based email (use plain text if possible), They should also be careful to only visit trusted and mainstream websites. The ANI malware can hide within HTML code. This vulnerability in Windows will lead to a crash of the security system so that other malware will be downloaded and installed on the infected system.

Microsoft Security Advisory (935423) - Vulnerability in Windows Animated Cursor Handling
http://www.microsoft.com/technet/security/...ory/935423.mspx

Other Security Advisories
http://secunia.com/advisories/24659/
http://www.avertlabs.com/research/blog/?p=230
http://www.avertlabs.com/research/blog/?p=233
http://asert.arbornetworks.com/2007/03/any...uld-infect-you/
http://research.eeye.com/html/alerts/zeroday/20070328.html
http://www.us-cert.gov/current/current_activity.html#WINANI
http://www.kb.cert.org/vuls/id/191609

AV Vendors - note Trend is reporting a 2nd variant
http://vil.nai.com/vil/content/v_141860.htm
http://www.trendmicro.com/vinfo/virusencyc...%5FANICMOO%2EAX
http://www.trendmicro.com/vinfo/virusencyc...%5FANICMOO%2EAV
http://www.sophos.com/sl/va/security/analy...rojanimoou.html
http://www.f-secure.com/v-descs/exploit_w32_ani_c.shtml

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to take complete control of an affected system. This issue is due to a memory corruption error when rendering malformed cursors, animated cursors or icons, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into visiting a malicious web page or viewing an email message containing a specially crafted ANI file.



#3 quietman7

quietman7

    Bleepin' Janitor

  • Topic Starter

  • Global Moderator
  • 51,729 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:51 PM

Posted 02 April 2007 - 07:42 AM

Microsoft to release update for ANI vulnerability on 4/03/07

Microsoft has announced that it will release an update for the ANI vulnerability on Tuesday the 3rd of April. This is a week early as they usually release security patches on every second Tuesday of the month but as there is an increasing activity of sites and malware using the ANI vulnerability, they decided to release it early.

http://www.f-secure.com/weblog/archives/ar...7.html#00001159
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:02:51 PM

Posted 02 April 2007 - 08:54 PM

MS was informed of this flaw in December. However, the flaw appears now to be actively exploited:

"For the past week, criminals been exploiting the vulnerability, which stems from a flaw in the way that Windows renders animated cursor files (to conceptualize this built-in capability, think of cute mouse arrows that leave a trail behind when you move them). By convincing a Windows user to open a specially crafted e-mail or to visit a Web site that is currently hosting the exploit, attackers can take complete control over almost any Windows computer in use today."

http://blog.washingtonpost.com/securityfix...ml?nav=rss_blog

Regards,
John
Whereof one cannot speak, thereof one should be silent.

#5 quietman7

quietman7

    Bleepin' Janitor

  • Topic Starter

  • Global Moderator
  • 51,729 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:51 PM

Posted 03 April 2007 - 01:42 PM

Critical MS07-017 patch released

Microsoft Security Bulletin MS07-017
Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
http://www.microsoft.com/technet/security/...n/ms07-017.mspx

Update for Windows XP (KB925902)
File Name: WindowsXP-KB925902-x86-ENU.exe
Version: 925902
Date: 4/03/07
Download link: http://www.microsoft.com/downloads/details...;displaylang=en

Known issues
After you install this security update on a Windows XP Service Pack 2 (SP2)-based computer, Realtek HD Audio Control Panel (Rthdcpl.exe) may not start...

http://support.microsoft.com/?kbid=925902
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Gyan

Gyan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 04 April 2007 - 01:22 AM



Please take note of this thread concerning this problematic update to some.

http://www.bleepingcomputer.com/forums/t/87278/illegal-system-dll-relocation-message/

tx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users