NICK ADSL UK
Premium,MVM
join:2004-02-22
| Microsoft Security Advisory (935423) Vulnerability in Window
Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
Published: March 29, 2007
Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.
As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
»www.microsoft.com/technet/securi···423.mspx
--
Wilders Security Forum Admin
Microsoft MVP-Windows Security
|
|
DownTheShore
Doing A Happy Dance
Premium
join:2003-12-02
Edison, NJ
clubs: | Thanks for posting this. |
|
The_alt_swhx7
@irs.gov
| reply to NICK ADSL UK
I couldn't tell from the writeup - does this affect only IE or can it be exploited via other browsers too? What does Firefox do with the .ani cursors? If there is an animated cursor feature in Firefox, can it be turned off?
(swhx7 posting anon. because of untrusted computer) |
|
The_alt_swhx7
@irs.gov | reply to NICK ADSL UK
Found the answer, it is Microsoft products only.
»www.vnunet.com/vnunet/news/21868···-attacks |
|
matunga
join:2003-07-26
edit:
March 30th, @05:55AM
| This flaw is a Windows's flaw, not a browser's flaw. Both browsers IE and Firefox are at risk:
Determina also discovered that under certain circumstances Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer
All applications that use certain Windows API calls are affected, including Internet Explorer, Windows Explorer, Mozilla Firefox and Outlook.
»www.derkeiler.com/Mailing-Lists/···536.html |
|
bcool
Premium
join:2000-08-25
The Ozarks
| reply to The_alt_swhx7
Wow! In one little thread two contradictory assertions:
"Alternative browsers such as Firefox and Opera do not appear to be vulnerable to the attack." »www.vnunet.com/vnunet/news/21868···-attacks
"Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer" »www.derkeiler.com/Mailing-Lists/···536.html
Since Firefox most assuredly calls upon the Windows API, I will err on the side of caution. 
--
"in flagrante delicto" |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to NICK ADSL UK
Whoa! This is nasty! There is NO WAY to protect yourself if you use Outlook Express (even if you use IE7) and even Windows Vista Mail is somewhat vulnerable. From Microsoft Security Advisory (935423):
"Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability."
I have always read all email in OE in Plain Text. That has been excellent protection until this. Alexander Sotirov from Determina recommends reading ALL MAIL with Telnet. That is sure going to be fun.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| reply to NICK ADSL UK
OK, I can see Fireferret/Moz browsers being vulnerable if a page can get them to call the Windows routines for using a new cursor from an .ani file instead of the regular cursor the user already has going on. But how would that happen?
In several years of surfing with Mozilla/Seamonkey I've never had the cursor become animated. If it did I would have immediately found a way to prevent it, because I find that sort of thing intolerably annoying.
This must not be confused with the substitute cursors that can be specified with stylesheets. With some CSS you can make a compliant browser use a question mark or crosshairs, for example, instead of the usual pointer. An ani cursor, I presume, would be actually moving on its own. |
|
KachiWachi
join:2004-02-12
Warminster, PA | I guess you don't visit myspace often then swhx7.  |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | reply to NICK ADSL UK
There is a temporary patch from eeye security.
»research.eeye.com/html/alerts/ze···328.html
I'm just about to install it. |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to KachiWachi
said by KachiWachi  :I guess you don't visit myspace often then swhx7. Well, seriously, if you or anyone can give me a link to a page that has this in it (harmless .ani file that is), I'd like to check it out. PM is OK. |
|
rgillis70
Premium
join:2002-12-30
Herndon, VA | reply to NICK ADSL UK
Outlook 2007 and IE7 on Vista (as shipped) are not vulnerable to this one. |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
Erie, PA | reply to Mele20
Has this patch been tested by any other security vendors? |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to Mele20
said by Mele20 :Whoa! This is nasty! There is NO WAY to protect yourself if you use Outlook Express (even if you use IE7) Don't use an animated cursor? |
|
daveinpoway
join:2006-07-03
Poway, CA | reply to NICK ADSL UK
Here's another article about this- »cwflyris.computerworld.com/t/140···57317/2/ |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| Well, now I'm thoroughly confused.
This article seems to indicate that Windows animated cursors are not at risk, and the exploit comes from allowing an animated cursor to run on a particular website, or within an HTML e-mail.
WTF?? Am I missing something? Do animated cursor files abound on websites? Do I run them all the time and just not know it?
Or is javascript heavily involved in this?
And do I have to just run some sort of .ani file on a webpage, or actually allow something specific to be downloaded onto my machine, or is user interaction not even required?
I'm not sure what that smell is.
This is either very scary or hardly worth concerning about-- and I'll be damned if I know which right now. |
|
Cudni
La Merma - Los De Aca
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
| reply to NICK ADSL UK
Chinese servers host malicious cursor attacks
from
»www.securityfocus.com/brief/473
"...
A criminal group responsible for using compromised Web sites to spread malicious software have already started using the latest Microsoft flaw to install their code from at least three servers in China, security experts said on Friday.
.."
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland | reply to NICK ADSL UK
Re: Microsoft Security Advisory (935423) Vulnerability in Window
Any POC anywhere?
Id surely like to check if Im vulnerable with Firefox, because these reports dont clearly say yes or no to that... |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to Cudni
Re: Chinese servers host malicious cursor attacks
Aha! Javascript is most definitely heavily involved. Thank you very much, Cudni! 
Still sounds pretty severe, but the javascript aspect is hardly anything new.
I'll continue to disallow it as a general rule, and wait for further developments.
Won't be using any animated cursors, either. |
|
art22gg
join:2005-02-16
Courtenay, BC
| reply to NICK ADSL UK
Re: Microsoft Security Advisory (935423) Vulnerability in Window
Hi,
There sure seems to be a lot of conflicting stories/confusion going on about this subject.Hopefully the situation will be straightened up with/by someone making a definitive conclusion,about who/what is vulnerable.
MS says per quote--
Mitigating Factors for Animated Cursor Vulnerability
•
Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.--------This is not "Security Focus" is saying!
Art |
|
