Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to NICK ADSL UK
Re: Microsoft Security Advisory (935423) Vulnerability in Window
Seven AV companies have issued protection. My AV is not one of them. I also use Outlook Express. DEFAULT settings in OE are somewhat protective in that interaction is required so for those who wouldn't just ignore and click on through there is some protection. For Plain Text readers though they are actually at the MOST RISK of all. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Optimum Online
 ·Vonage
| reply to NICK ADSL UK
Well, this really IS confusing....from Cudni  's link:
The animated-cursor flaw affects all versions of Windows, including Windows Vista, as well as Internet Explorer 6 and 7.
»www.securityfocus.com/brief/473
So what's the deal? You have to visit an infected site or open an email and click on a link that sends you to a site that has these infected cursors on it?
--
~~Don't wanna' fight in a holy war...World war III when are you coming for me? Been kicking up sparks, we set the flames free...the windows are locked now so what'll it be? A house on fire or a rising sea?...~~
|
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| All you need to do is use Outlook Express set to Plain Text for reading and then open an email that has embedded ANI files and unless your AV is detecting this, you are infected. If you use default settings for OE then you would get some interactive warning as the email would open in HTML but most folks will ignore the warning and get infected.
»isc.sans.org/diary.html?storyid=···f99022a6
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| I've never, ever seen an animated ani file in an email? And why would I open an email from an unknown source who might embed one in an email?
I suppose it could be passed on by someone else who foolishly opened something unknown, but still, that's a long shot. I can't think of anyone I email with who would do that.
Maybe I'm not understanding the mode of propagation with this.
Clicking unknowlingly on an infected website seems like it would be more of a problem to me.
--
~~Don't wanna' fight in a holy war...World war III when are you coming for me? Been kicking up sparks, we set the flames free...the windows are locked now so what'll it be? A house on fire or a rising sea?...~~
|
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by La Luna :. . why would I open an email from an unknown source who might embed one in an email? Because you may just have won $100,000.00!! Yes, YOU!!
Or some rich guy may have just died and left you a big pile of money, if only you could assist his Nigerian Executor in getting it to you!  
. . Maybe I'm not understanding the mode of propagation with this. . . . From what I'm reading, it's an old and quite well known javascripting vulnerability.
The new wrinkle seems to be in having .ani files carry out the dirty work.
As best I can make of it. But I could be wrong. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| said by AB :said by La Luna :. . why would I open an email from an unknown source who might embed one in an email? Because you may just have won $100,000.00!! Yes, YOU!! Or some rich guy may have just died and left you a big pile of money, if only you could assist his Nigerian Executor in getting it to you! . . Maybe I'm not understanding the mode of propagation with this. . . . From what I'm reading, it's an old and quite well known javascripting vulnerability. The new wrinkle seems to be in having .ani files carry out the dirty work. As best I can make of it. But I could be wrong. Oh crap, this is too confusing.....someone get back to me when it's sorted out, lol....
Now, let me go search for the email from that rich old coot.....
--
~~Don't wanna' fight in a holy war...World war III when are you coming for me? Been kicking up sparks, we set the flames free...the windows are locked now so what'll it be? A house on fire or a rising sea?...~~
|
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to NICK ADSL UK
Microsoft has known about this since 2006.12, and published an advisory only when exploits were reported. »blogs.zdnet.com/security/?p=143
McAfee says Firefox is not vulnerable. »www.avertlabs.com/research/blog/?p=230
I haven't confirmed it, but I suspect that .ani files are run by one of those shell handler things in Windows. I wonder whether a workaround could be as simple as disabling whatever it is in Windows that runs .ani files.
I would be surprised if Firefox downloads .ani files without warning and calls the relevant handler. If anyone reading this has ever seen a Mozilla browser load up and use an animated cursor without asking permission, or if anyone has seen a proof of concept page so we can test it, please post.
Microsoft email software is an infection vector because it uses the IE pieces for interpreting HTML. Use an email client that doesn't rely on IE and you're ok. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| McAfee says Firefox 2.0 is not vulnerable. Many are still using 1.5 and without a POC we can't know if it is or is not vulnerable. Probably not but McAfee may not be right as other security experts say that Fx is vulnerable under some circumstances.
I don't like any other email client. OE is the only email client I have used that I really like. |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to NICK ADSL UK
Update:
.ani files are interpreted by user32.dll ( »research.eeye.com/html/alerts/ze···328.html ), and it also does a bunch of other things in Windows, so unregistering it would not be an option.
The above page also links to a 3rd party patch.
Note: .ani files can be renamed to .jpg or .jpeg and still be effective in this attack.
said by AB :Aha! Javascript is most definitely heavily involved. What that article says about Javascript is only that it's used to redirect the browser to another page where the .ani file is hosted. This is not crucial to the exploit; you could go to an infected site in the first place instead of being redirected. JS is not needed to make a browser download an .ani file.
Finally here is what amounts to a safe POC page.
»www.gdgsoft.com/anituner/help/SavingCur.htm
It explains that .ani files are delivered with code like this:
<style>
<!--
BODY{ cursor:url("mycur.ani"); }
-->
</style> And it contains a link, just like the above, to an actual .ani file which apparently is an animated dinosaur. However, for me there was no animation, and no change in the cursor. This was with Seamonkey 1.x with Javascript off. I then turned on Javascript, and got the same result: nothing. Also I downloaded the .ani file and double-clicked it, and the dialog came up asking which program to open it with. This is on Windows 2000 SP4 with a lot of things turned off, including various services and shell dlls ,etc.. Your mileage may vary. |
|
matunga
join:2003-07-26
| reply to Mele20
»securitytracker.com/alerts/2007/···827.html
This can be exploited via various methods, including HTML and e-mail and is not limited to files with a '.ani' file extension.
This can be exploited via various applications that use the vulnerable Windows functions, including Microsoft Internet Explorer, Windows Explorer, Mozilla Firefox, and Microsoft Outlook.
Users with Internet Explorer 7 running in Protected Mode on Windows Vista are not affected. |
|
daveinpoway
Premium
join:2006-07-03
Poway, CA
| reply to NICK ADSL UK
I installed Blink Neighborhood Watch from eEye yesterday; they claim this will protect my PC from this problem, but I haven't found any test site to verify if I am indeed protected or not. Since I am using Zone Alarm Pro, I disabled both firewalls in BNW; hopefully, the protection against this malware is still present without BNW's firewalls, but who knows for sure? |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| I'm curious why you didn't install their patch instead?
What AV do you have? Most are protecting against it now..but not mine and it is ironic because Avira adds more definitions than anyone just about.  |
|
rhatsaruck
join:1999-08-12
West Palm Beach, FL | Has any firm explained how to determine if you are already infected? The Microsoft advisory is silent on this matter as is Symantec, my AV vendor. |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to swhx7
said by swhx7 :said by AB :Aha! Javascript is most definitely heavily involved. What that article says about Javascript is only that it's used to redirect the browser to another page where the .ani file is hosted. This is not crucial to the exploit; you could go to an infected site in the first place instead of being redirected. JS is not needed to make a browser download an .ani file. Finally here is what amounts to a safe POC page. » www.gdgsoft.com/anituner/help/SavingCur.htmIt explains that .ani files are delivered with code like this: <style>
<!--
BODY{ cursor:url("mycur.ani"); }
-->
</style> And it contains a link, just like the above, to an actual .ani file which apparently is an animated dinosaur. However, for me there was no animation, and no change in the cursor. This was with Seamonkey 1.x with Javascript off. I then turned on Javascript, and got the same result: nothing. Also I downloaded the .ani file and double-clicked it, and the dialog came up asking which program to open it with. This is on Windows 2000 SP4 with a lot of things turned off, including various services and shell dlls ,etc.. Your mileage may vary. From the Security Focus article:
"The JavaScript code had previously used known vulnerabilities to exploit the systems of visitors to various Web sites, including the site for Super Bowl venue Dolphin Stadium, but have now transitioned over to using a vulnerability that has not been patched, Marx said.
Other security researchers have found a greater number of pages apparently hosting the file. A search of Google returns more than 113,000 pages with the JavaScript attack on it, according to a blog post by McAfee researcher Craig Schmugar." (Bolding mine.)
Sounds to me like javascript is involved here by more than just browser re-direction. As is often the case for web-based malware.
For me, the question is still is this just another garden-variety exploit being over-hyped (most likely), or truly something to be seriously concerned about?
A second question would be that since this is an old and known vulnerability, why didn't Microsoft patch this long ago?
Maybe they'll just recommend that everyone move to Vista and enable 'Protected Mode'. |
|
ModemHead
hmmm... what does this do?
Premium
join:2006-01-22
Apex, NC
| Regardless of whether Javascript is required to drop the malware or not, a reading of the Gecko documentation indicates to me that Gecko-based browsers are not going to be vulnerable because animated cursors are not supported.
See Using URL values for the cursor property, esp. the section titled "Limitations" and "Compatibility with other browsers". |
|
vircotto
join:2002-06-04
Illinois
| reply to rhatsaruck
Symantec has now addressed this.
»www.symantec.com/outbreak/animat···ity.html
...
Users of Outlook 2002 (or later) or Outlook Express 6 Service Pack 1 or later can mitigate the risk of being compromised via an email with a malicious animated cursor by reading email messages in plain text format.
Symantec Security Response has released virus definition signatures that will detect threats that attempt to exploit this vulnerability. These threats will be detected as Bloodhound.Exploit.131. Certified virus definitions dated March 30, 2007 or later contain this detection. |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to ModemHead
said by ModemHead :Regardless of whether Javascript is required to drop the malware or not, a reading of the Gecko documentation indicates to me that Gecko-based browsers are not going to be vulnerable because animated cursors are not supported. Works for me. I use a Gecko-based browser. Thanks for the link.  |
|
rhatsaruck
join:1999-08-12
West Palm Beach, FL
1 edit | reply to vircotto
vircotto, Symantec has not addressed my issue. They do not explain how to determine if one has been infected.
In addition, the Symantec info you quoted
Outlook Express 6 Service Pack 1 or later can mitigate the risk of being compromised via an email with a malicious animated cursor by reading email messages in plain text format.
contradicts Microsoft's info. Microsoft claims
Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability. |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
| reply to AB
said by AB :From the Security Focus article: "The JavaScript code had previously used known vulnerabilities to exploit the systems of visitors to various Web sites, including the site for Super Bowl venue Dolphin Stadium, but have now transitioned over to using a vulnerability that has not been patched, Marx said. Other security researchers have found a greater number of pages apparently hosting the file. A search of Google returns more than 113,000 pages with the JavaScript attack on it, according to a blog post by McAfee researcher Craig Schmugar." (Bolding mine.) Sounds to me like javascript is involved here by more than just browser re-direction. As is often the case for web-based malware. For me, the question is still is this just another garden-variety exploit being over-hyped (most likely), or truly something to be seriously concerned about? A second question would be that since this is an old and known vulnerability, why didn't Microsoft patch this long ago? Maybe they'll just recommend that everyone move to Vista and enable 'Protected Mode'. The distinction he was making, I believe, is that vulnerabilities exist that JavaScript is used to exploit. In other words, it is not a vulnerability in JavaScript that is exploitable. From practical standpoint the end result is the same I suppose but it seems unreasonable to blame the automobile when the bank robbers get away.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to NICK ADSL UK
Usage note Mitigate, whose central meaning is “to lessen” or “make less severe,” is sometimes confused with militate, “to have effect or influence,” in the phrase mitigate against: This criticism in no way militates (not mitigates) against your going ahead with your research. Although this use of mitigate occasionally occurs in edited writing, it is rare and is widely regarded as an error.
not mitigate (make less severe) attempts to exploit
can mitigate (make less severe) the risk
maybe attempts to exploit is not considered to be a risk in plain text.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
