Microsoft

Windows Animated Cursor Risk to all Windows, including Vista


Microsoft has confirmed the threat. http://www.microsoft.com/technet/security/advisory/935423.mspx

There are already reports of this zero-day vulnerability being actively exploited.

The risk, of course, is that an attacker could run arbitrary code on the vulnerable system, making this an extremely dangerous threat. 

Microsoft reports that these platforms are specifically affected:

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista

Microsoft's advisory concluded that "Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment, the attacker could cause the affected system to execute code."

This is an .ani related threat and may be connected with the vulnerability disclosed earlier in the week and in this security blog "Unpatched Hole in IE 6/7 ...."

Microsoft's workaround is to open emails in plain text otherwise you just have to avoid untrusted web sites.

The Redmond software giant also specifically warns that this doesn't do any good if you are using Outlook Express.

 

 Security settings in Vista and IE 7 mitigate the risk somewhat.

Microsoft is planning a patch but eEye Digital Security has already released an unofficial fix for this zero-day vulnerability.

http://research.eeye.com/html/alerts/zeroday/20070328.html 

 

NOTE: This is breaking news so please check the Microsoft and eEye sites for any changes. Also, of course, keep an eye on this security blog for major updates. 

 

My Comment - Microsoft's work around brings up an interesting question: Does any security conscious IT specialist use Outlook or Outlook Express? I certainly don't use either one.

23 comments
TechExec2
TechExec2

. The malware is in the wild and on the attack (1). This malware in the wild affects all recent versions of Windows, [b]including Vista[/b]. Note that Vista's new security architecture DOES limit, but not eliminate, vulnerability to this exploit. I'll say it again. People who like to count vulnerabilities should take note: What counts most are EXPLOITS IN THE WILD. Windows is the king, by far, for exploits in the wild. This applies even to Vista. It's still far safer to use something other than Windows. Some people might say I'm rooting for the hackers. Too bad. I'm not rooting for them. But, maybe if Microsoft could stop doing things like Vista's WGA capricious software-triggered de-activation (among many other sins), I could still be a "fan". ------------------------------------------- (1) ANI Zero Day Takes New Turns to the Uber-Nasty http://securitywatch.eweek.com/exploits_and_attacks/ani_zero_day_takes_new_turns_to_the_ubernasty.html

apotheon
apotheon

From my own perspective, I'd say that what counts is two things: 1. Exploits that can affect you in the here-and-now, as you suggest, are of paramount importance in evaluating the security of your software. This is where the rubber meets the road, as 'twere. While the "security through obscurity" drivel spouted by so many of the least knowledgeable defenders of MS Windows is pure poppycock, even if it were true it wouldn't change the fact that MS Windows constitutes a severe security risk in any security-critical deployment due to the exploit frequency and the damage these exploits can impose on operations. 2. Architectural security characteristics are of great importance as well, though in a more long-view sense. The more you commit operations to a given platform, the more you are banking on that platform providing less security exposure not only now but in the future. Current exploits are the reality of the here and now -- architectural security characteristics of a system indicate the likely vulnerability profile, and thus exploit-tendency, of the system in the future. Architectural security characteristics do not act alone in this regard, of course. Patching practices, for instance, also factor into the matter, as does the value (measured in reward vs. risk) of the system as a target.

jmgarvin
jmgarvin

Too many users that have Vista think it is 100% secure...so those that are running it won't bother to patch it... Any bets on what the next attack vector for Vista is?

TechExec2
TechExec2

. I really cannot predict how the next attack will work, but I still think as follows (1): [b][i]"...With it likely being very hard to break into Vista, I think it will push Vista hacking further underground. I predict the first widespread Vista exploit will appear from out of nowhere and cause real damage to users. This won't happen for months. There has to be time for the hacker bastards to build their malware. And, there has to be enough actual Vista users..."[/i][/b] If someone's "job" is being a hacker and creating malware, and s/he wants to be "successful", this is what s/he will do. ---------------------------------------------- (1) How will the first Vista exploit appear? (2/22/2007) http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=212109&messageID=2177754

apotheon
apotheon

I think the people that most need to read it are the idiot "journalists" who are leaping to report MS Windows the most secure OS ever. Thanks for the kind words, in any case.

jmgarvin
jmgarvin

I think that perhaps some folks at MS need to take a read of that.

apotheon
apotheon

Perhaps coincidentally, I just finished composing a lengthy bit that touches on that subject in some detail: [url=http://sob.apotheon.org/?p=231][b]Security Analysis: Symantec ISTR XI (Executive Summary)[/b][/url]

Tech Locksmith
Tech Locksmith

Just wanted to let you know that there has been a revision to the advisory linked in the blog: "March 31, 2007: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the ?Related Software? section."

Dr Dij
Dr Dij

Sorry to change the topic from others placing blame .. in some other security flaws you could un-register the .dll involved. I don't use animated cursors. Is user32 used for other things? could I just disassociate the .ani extension? and as an aside, I think ANY flaw that allows access will under today's conditions get very nasty very quick as the crims have efficient network to distribute these flaws, since they now make money off them. (not to minimize the irresponsibleness of those involved in not fixing it and not testing for it in 1st place)

TechExec2
TechExec2

. From (1)(2): [b][i]"...During one week (2007-04-02/08), new undisclosed vulnerabilities / flaws / exploitation techniques discovered in the latest versions of the Microsoft Windows Vista operating system and softwares will be publicly disclosed on this page. This project is launched as a challenge by an unofficial team of security experts. Security advisories including advanced technical details will be provided. No more details will be provided before the beginning of TWOVB..."[/i][/b] Looks like things might get INTERESTING next week! :^0 P.S. Of course, this might be an April Fools joke. We all know Vista is rock solid. ;-) ---------------------------------------------- (1) Week of Windows Vista bugs? http://blogs.zdnet.com/security/?p=144 (2) The Week of Vista Bugs (TWOVB) Website https://www.securinfos.info/english/the-week-of-vista-bugs.php

TechExec2
TechExec2

. I love you Vi-i-sta Oh yes I do-o I love you Vi-i-sta And I'll be tru-u-e I hear that Vi-i-sta Is unsafe too TR peers say "I told you" :^0 :^0 :^0

TechExec2
TechExec2

. From (1): [b][i]"...A private security research outfit says it notified Microsoft about the animated cursor (.ani) code execution vulnerability since December 2006, a full four months ahead of yesterday?s discovery of Internet Explorer drive-by attacks. According to Alexander Sotirov, chief reverse engineer at Determina, his research team discovered and reported the flaw to Microsoft last December. On January 3, 2007, Microsoft reserved CVE-2007-0038 to use in its security bulletin..."[/i][/b] The more things change, the more they stay the same. ------------------------------------ (1) Microsoft knew of Windows .ANI flaw since December 2006 http://blogs.zdnet.com/security/?p=143

apotheon
apotheon

"[i]Dertemina is an ethical security firm which doesn't disclose new vulnerabilities before notifying the vendors:[/i]" I'd consider an "ethical security firm" to be one that notifies users first, or at least with some immediacy. It's really users who have to suffer the consequences of existing, unpatched vulnerabilities. The fact that consumers didn't know they were at risk for [i]four months[/i] really makes the word "ethical" ring hollow.

TechExec2
TechExec2

. So... Whomever guessed 59 days until the first zero-day exploit in the wild for Vista is the winner! :^0

cyanide
cyanide

thats good for windows 59days, for an exploit, though MS did know about the issue, as it's a problem in XP also i beleive, besides you have to be a right moron to get infected with all this "illegitimate" crap on windows anyway

Tech Locksmith
Tech Locksmith

Actually we're all loosers on the lack of security in Vista, but I didn't win the pool because I didn't think it would take this long!

apotheon
apotheon

I, for one, do not use Outlook or OE. In fact, I've learned to avoid MS Windows entirely for email. Even if I was using MS Windows for email, however, I would certainly not be using either Outlook or OE. Microsoft's little "workaround" is 100% redundant, for me, however. It has been a long time since I have even trusted email enough to use an email client that is [b]capable[/b] of rendering HTML. I use a text-only client, all the time, every time. I have yet to receive a legitimate email addressed directly to me that did not provide at least a second, plain text version. Most modern email clients automatically produce and send a plain text version of an email piggy-backed on HTML emails, when HTML email is used -- which is perfect for me. Your email is basically entirely safe, no question, as long as you strictly use a text-only client. Your only concern, no matter what OS you use, is then attachments that you may save separately from the email, perhaps to open/execute with another application. In the years that I have used a text-only client, the only messages I've ever received directly to my inbox that were HTML only were spam, scams, and phishing attempts. In some sense, it's amusing to see these emails come to me, utterly defanged by my text-only email client, knowing that many others receive exactly the same emails and are not protected because they are simply too attached to HTML email, or too ignorant of security issues to know how to avoid the threat HTML emails represent.

Tech Locksmith
Tech Locksmith

I've been against the use of HTML in email in general since HTML was invented. I presume you also avoid IM - actually the only people I have ever IM'd with were two editors here at TR and then only for very limited purposes - otherwise I don't even turn on any IM service.

apotheon
apotheon

I actually use IMs pretty extensively. However . . . I use Gaim with the OTR plugin for "perfect forward security" (if you're familiar with the term) encryption when at all practical, and I'm pretty damned scrupulous about what I allow through. Also, since I'm running this on FreeBSD, there's a lot I can do to secure it that isn't available on MS Windows systems.

apotheon
apotheon

I can understand that. If you directly support MS Windows, it's usually necessary to run MS Windows -- usually. You probably know more about BeOS security than I do, in any case. I don't have a BeOS machine, and have only seen it in operation for a few minutes total in my life. I learned more about BeOS from Neal Stephenson's essay In the Beginning was the Command Line than from first-hand experience -- so yeah, I don't know a whole lot about it. I'm only peripherally aware that there seem to be a couple of open source BeOS revival projects out there, though I've heard nothing about any successes in that area.

Tech Locksmith
Tech Locksmith

Unfortunately, pity me, I KNOW FreeBSD is a superior OS but I am forced professionally to use Windows most of the time - I own my own company, but if I ran FreeBSD all the time I wouldn't be familiar with all the new problems I encounter in Windows so, as part of my ongoing "professional" education I have to run Windows most of the time to see how it gets broken. (Oh well!) BTW, the reason I don't know much about BeOS security is because I run it on a stand-alone machine for special tasks it is best suited to - I don't care about it's level of security - my most sensitive work is always done on a PC with removeable hard drives and which doesn't have any network connections.

Editor's Picks