Re: Microsoft Security Advisory (935423) Vulnerability in Window in Security http://www.dslreports.com/forum/r18087575 en Wed, 02 Dec 2009 12:48:38 EDT Wed, 02 Dec 2009 12:48:38 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18109892 ZZZZZZZ : OMG....the sky is falling! :(]]> http://www.dslreports.com/forum/remark,18109892 Tue, 03 Apr 2007 11:24:07 EDT Highlghts ....Where did it all start and who was the Author ? http://www.dslreports.com/forum/remark,18108788 Name Game : worm.whboy

Users will know their systems are infected by the worm.whboy if their executable file icons turn into images of pandas with burning joss sticks. [Photo: pconline.com.cn]

Five-star cyber worm comes
2007-01/17
»www.chinadaily.com.cn/citylife/2···5644.htm

Sophos downplays 'panda' virus
January 19 2007
»www.zdnetasia.com/toolkits/0,390···p,00.htm

Anti-Worm.WhBoy Software Put Into Trial Operation
March 30, 2007
Li Jun, the creator of the rampant computer virus Worm.Whboy, has produced an anti-virus software to kill Worm.Whboy and put it into use on a trial basis on some Chinese websites.

Li has also attached a letter to the software in which he apologizes to netizens for the harm this virus has done to them. However, Li has not given details on the dependability of the anti-virus software.

Originating in Wuhan, the virus received the first five-star severity rating ever issued by the Shanghai Information Technology Service Center because it could attack local area networks in government bureaus and companies and damage their programs and databases. The worm was most destructive about three months ago, but it is still causing problems.

»www.chinatechnews.com/2007/03/30···eration/

Mcafee Input...

The W32/Fujacks.worm was first discovered on December 28, 2006. Detection was added for a this new variant on January 17, 2007, which includes coverage for the threat specified in the article listed below.

This threat is considered to be a Low-Profiled risk due to media attention at: »www.chinadaily.com.cn/citylife/2···5644.htm
--

Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there.

»vil.nai.com/vil/content/v_141204.htm

W32/Fujacks!htm
»vil.nai.com/vil/content/v_141161.htm
The computer may become slow and may occasionally reboot due the infection of the executable files.
For the W32/Fujacks!htm infected files, they will have an iframe in the last line of the files.

The W32/Fujacks virus will search several different vectors to find these type of files:
- htm
- html
- asp
- php
- jsp
- aspx
- EXE
- SCR
- PIF
- COM

So it can infect them.

****************************************

And if you want another good look at the chain of events..
Harry Waldron does an excellent job of that over at CofU site.

http://www.dozleng.com/updates/index.php?s=3ed00a07ba70bb9553f687452a5510c2&showtopic=13805
--
Gladiator Security Forum http://www.gladiator-antivirus.com/ Missing Kids http://www.missingkids.com/
]]> http://www.dslreports.com/forum/remark,18108788 Tue, 03 Apr 2007 04:34:29 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18106245 SpannerITWks : ModemHead

Thanx for the info !

Spanner]]> http://www.dslreports.com/forum/remark,18106245 Mon, 02 Apr 2007 17:36:33 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18104270 Name Game :
said by astirusty See Profile :

said by Name Game See Profile :

You might wonder how they were able to get the update out so quickly considering it was first used in exploits late last week.
...
Until Microsoft has released the update, ...

**********************************

The problem out there is just like always. There are thousands if not millions of users that fit in the category of running pirated copies of Microsoft Software who never updated and added ...
I don't understand the connection. If MS has known about it for 3 months, and only now gets around to providing a fix; how are the pirated copies or never updated copies the problem.
Maybe you mean that even though a fix (patch) is finally provided by MS, the pirated copies and non-updaters will still be a food-supply for Bot-nets?
And worm in this case..

The problem out there is just like always.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18104270 Mon, 02 Apr 2007 11:53:05 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18104090 astirusty :
said by Name Game See Profile :

You might wonder how they were able to get the update out so quickly considering it was first used in exploits late last week.
...
Until Microsoft has released the update, ...

**********************************

The problem out there is just like always. There are thousands if not millions of users that fit in the category of running pirated copies of Microsoft Software who never updated and added ...
I don't understand the connection. If MS has known about it for 3 months, and only now gets around to providing a fix; how are the pirated copies or never updated copies the problem.
Maybe you mean that even though a fix (patch) is finally provided by MS, the pirated copies and non-updaters will still be a food-supply for Bot-nets?]]> http://www.dslreports.com/forum/remark,18104090 Mon, 02 Apr 2007 11:24:09 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18103258 daveinpoway : AV is (was) Avast. You're right that I could have installed the patch, but the lure of Blink protecting you against future zero-day stuff was strong.

Anyway, I am now using Blink Personal Edition, for which eEye offers a free 1-year license (I don't know if you can renew it for free when it expires, but I'll concern myself with that next April). So, I removed Zone Alarm Pro, Avast and some other anti-malware stuff from my system. One thing I see is that BPE scans much faster than Avast. Avast took about 2.5 hours to scan my C drive, but BPE does a full scan in a little more than an hour. ]]> http://www.dslreports.com/forum/remark,18103258 Mon, 02 Apr 2007 07:11:18 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18103241 Name Game : F-Secure Lab

"Microsoft has announced that it will release an update for the ANI vulnerability on Tuesday the 3rd of April. This is a week early as they usually release security patches on every second Tuesday of the month but as there is an increasing activity of sites and malware using the ANI vulnerability, they decided to release it early.

You might wonder how they were able to get the update out so quickly considering it was first used in exploits late last week. The issue of the ANI vulnerability was actually brought to Microsoft's attention back in December 2006 according to their their Security Response Blog and they've been investigating and working on a fix since then.

Until Microsoft has released the update, you can count on us to continue adding detection for known versions of the ANI exploit and worms."

»www.f-secure.com/weblog/archives···00001159

**********************************

The problem out there is just like always. There are thousands if not millions of users that fit in the category of running pirated copies of Microsoft Software who never updated and added to that are those who own the software but refuse to update..I see people out there not even with SP1 muchless SP2 for XP.

The media does not help on all this either..when it all started all they could lick their lips on..was reporting there was now a vulnerability/exploit for VISTA and rag on that for a few days. :(
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18103241 Mon, 02 Apr 2007 06:58:52 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102945 Mele20 : Read the ZERT explanation. You are right that there was a similiar exploit in 2005. ZERT explains very well how this new one came about and points out that Microsoft was derelict in duty in that this one could have been avoided if they had checked the entire code for ANI two years ago. ]]> http://www.dslreports.com/forum/remark,18102945 Mon, 02 Apr 2007 02:44:38 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102887 Sindows 7 :
said by ModemHead See Profile :

It appears that the ZERT site is mirrored (as per Bob above) and the cursor files that are embedded referenced in the POC test page do not exist on one of the mirrors (as of 10pm EDT).

The working test page is:
»zert.isotf.org/tests/testani.htm

The non-working test page is:
»isotf.org/zert/tests/testani.htm

The non-working test page will never do anything but tell you that you are not vulnerable, even if you are.

The ZERT people seem to be a little confused, I wouldn't recommend loading any patches from there at this time...
Hey I clicked the links and IE crashed or closed.
I use .ani files for my mouse and cursors, I got them from win95 days...........what this all mean?
I thought this was discussed before too a couple years back.
»Do You Trust Your Browser...
»www.microsoft.com/technet/securi···002.mspx
and »Followup
--
ASUS A7N8X2.0 Dlx NFORCE2 Ultra400 Athlon XP 3200+ Barton @2.20 GHz Corsair TWINX1024-3200C2PT @2-3-3-6-400Mhz DDR DualChannel ATI 1650Pro 512MB SB Live! 5.1 Windows Vista 5744 IE 7 DI-604 Router Telus 6.0 APC BackUPS 450]]> http://www.dslreports.com/forum/remark,18102887 Mon, 02 Apr 2007 02:15:09 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102394 Just Bob : Apparently the critical update scheduled for April 3 is a patch for the ani exploit.

»blogs.technet.com/msrc/archive/2···423.aspx

It only stands to reason, as I just installed the zert patch. :)]]> http://www.dslreports.com/forum/remark,18102394 Sun, 01 Apr 2007 23:39:35 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102377 Name Game :
said by planet See Profile :

From Wilders:
»www.wilderssecurity.com/showthre···t=170459
Poor guy..hope someone lets him know the score with his AV and what to do next. :(
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18102377 Sun, 01 Apr 2007 23:34:36 EDT Official patch due on Tuesday 3-Apr http://www.dslreports.com/forum/remark,18102372 ModemHead : »MS Security Bulletin Advanced Notification for 4/3/2007]]> http://www.dslreports.com/forum/remark,18102372 Sun, 01 Apr 2007 23:33:20 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102232 Mele20 : I have been reading for five hours and almost all of that time has been on this! I still haven't read the F-Secure link..will do, but time for a bit of a break. Avira just updated and has a new engine and detects this now heuristically. (But their information pages are somewhat incorrect and some are in German only and Google translation is not very helpful). :D]]> http://www.dslreports.com/forum/remark,18102232 Sun, 01 Apr 2007 22:59:08 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102209 planet : From Wilders:
»www.wilderssecurity.com/showthre···t=170459]]> http://www.dslreports.com/forum/remark,18102209 Sun, 01 Apr 2007 22:55:23 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102198 ModemHead :
said by SpannerITWks See Profile :

What i found strange was that a " Security " www would require you to have Flash and Active Scripting and/or ActiveX enabled ?
The link you followed from the test page to get a flash-based page is isoft. The original site is isotf. Typo?

These ZERT folks sure do have a lot of problems. But they are linked from SANS.]]> http://www.dslreports.com/forum/remark,18102198 Sun, 01 Apr 2007 22:52:32 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102115 Name Game : spanner,

correct..that is just their way of playing around to make people happy..so do not get the impression that activeX or flash is any part of what is out there.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18102115 Sun, 01 Apr 2007 22:38:28 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102100 Name Game :
said by Mele20 See Profile :

OK. If the information is updated then good to post that but I don't see why it has to be posted from the FSecure link. What was wrong with my original link and just indicating that had been updated? But I don't want to split hairs...as I said repeating stuff in these forums seems to a necessity for a variety of reasons.
you already split hairs and did not even read the links muchless the f-secure write up at the first or second link posted :D :D when you finally do it will answer your own question. Settle down..and spend some time reading rather than training anyone how to post.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18102100 Sun, 01 Apr 2007 22:34:53 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102079 SpannerITWks : Tested with IE6 on 98SE -



No crash, no problems !

What i found strange was that a " Security " www would require you to have Flash and Active Scripting and/or ActiveX enabled ?



As i don't have those things enabled by default, i didn't see anything.

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,18102079 Sun, 01 Apr 2007 22:31:08 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102059 ModemHead : The cursor files (there are two) at ZERT are not quite so potent. They immediated crashed IE6 on my fully-patched XP Pro SP2 system. But they had no effect on Windows Explorer, even when I changed the extensions from JPG to ANI. No hung threads with open handles in Explorer either, as with the other POC from last night that you had so much fun with.

Also, this ZERT POC page has zero effect on Firefox 2.0.0.3. The CSS code is actually syntactically incorrect, so Fx doesn't even attempt to get the cursor files.]]> http://www.dslreports.com/forum/remark,18102059 Sun, 01 Apr 2007 22:25:40 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102036 Mele20 : OK. If the information is updated then good to post that but I don't see why it has to be posted from the FSecure link. What was wrong with my original link and just indicating that had been updated? But I don't want to split hairs...as I said repeating stuff in these forums seems to a necessity for a variety of reasons.]]> http://www.dslreports.com/forum/remark,18102036 Sun, 01 Apr 2007 22:20:59 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18102010 Name Game :
said by Mele20 See Profile :

I posted that information in this thread yesterday and was told twice by Kiwi that I was posting a trojan link which I was not ...people don't read! First Kiwi and now you. :( But from the BoClean thread I learned that some things have to be repeated ad nauseum so I get it doesn't hurt for you to repeat what I already posted.

»Re: Microsoft Security Advisory (935423) Vulnerability in Window
:D
Nonesense..you posted no f-secure links..and the cisrt.org link you posted has now been updated..and happens to also be incorporsted at the f-secure site..the info is all new..
and on top of it all this badboy ANI is pretty much of a NO SHOW to date in the wild..one of the slowest worms I have seen in a long time..compared to all the sky is falling dumps the AV houses are yelling about..heck they even have to share copies of them to even reverse engineer them.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18102010 Sun, 01 Apr 2007 22:16:11 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18101997 Mele20 :
said by Cudni See Profile :

Thanks for ZERT article. I tried poc page, with no patch installed, using both IE7 and FF and no crash with either. Both time displayed
"you do not appear to be vulnerable to the ie ani cursor exploit ..."

Cudni
That may not be accurate. The Zert page if followed from some links will not download the patch and will also show invalid information if you do the test from that link. There are a bunch of posts about it at GRC Security NG. If you can download the patch from the link you used for the test then probably you are on the valid link.

Some are so suspicious as to not test or download the patch because the ZERT icon is missing from the page. As I understand it, Internet Storm Center has an invalid (or did as they have been notified and may have fixed it) link to the ZERT page so if you used that link the test in invalid. If you used the link I posted, it should be a valid test....I think...but my head is reeling from stuffing too much about this into it. Really is beginning to remind me of the days right after WMF was discovered and tomorrow being the first work day ...oh, boy.

I have not done the test or installed the ZERT patch althought I did download it. I had enough taste of danger last night trying to get rid of the POC that I let IE download. If I had downloaded that file to the desktop...eegads! would I have had a mess as Explorer would have gone into an infinite crash/reboot loop. Luckily, out of habit, I let it download to the usual Downloaded Programs folder that I use. Explorer wouldn't let me in the folder. It would crash if I got near the folder. It took Command Line (which I am not good at) to get into the folder and there was question about an active handle maybe being held open by it and if so I might not have been able to have deleted it that way. Luckily, after several tries (had to reboot and not let Explorer anywhere near the Downloaded Programs folder) and help with trying various commands, I got it deleted. That was enough excitement for me for awhile. ;)
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18101997 Sun, 01 Apr 2007 22:14:14 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18101987 ModemHead : It appears that the ZERT site is mirrored (as per Bob above) and the cursor files that are embedded referenced in the POC test page do not exist on one of the mirrors (as of 10pm EDT).

The working test page is:
»zert.isotf.org/tests/testani.htm

The non-working test page is:
»isotf.org/zert/tests/testani.htm

The non-working test page will never do anything but tell you that you are not vulnerable, even if you are.

The ZERT people seem to be a little confused, I wouldn't recommend loading any patches from there at this time...]]> http://www.dslreports.com/forum/remark,18101987 Sun, 01 Apr 2007 22:12:53 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18101913 Mele20 : I posted that information in this thread yesterday and was told twice by Kiwi that I was posting a trojan link which I was not ...people don't read! First Kiwi and now you. :( But from the BoClean thread I learned that some things have to be repeated ad nauseum so I guess it doesn't hurt for you to repeat what I already posted.

»Re: Microsoft Security Advisory (935423) Vulnerability in Window]]> http://www.dslreports.com/forum/remark,18101913 Sun, 01 Apr 2007 21:55:52 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18101860 Name Game : Chinese Internet Security Response Team is reporting on a new worm using the ANI exploit to spread.

This is real and we've confirmed it: however, we've only received six customer reports so far.

We detect the main worm file as Trojan-Downloader.Win32.Agent.bkp and the files downloaded by the worm mostly as different variants of Trojan-PSW.Win32.OnLineGames.

The worm tries to locate all HTML files from the system and modifies them to insert a script that loads an ANI file from macr.microfsot.com. When such web pages files are viewed or uploaded to a webserver, they will spread the infection further.

In addition of spreading via the ANI exploit, it also tries to spread via USB stick and other removable media.

Easy way to confirm an infection is the existance of tool.exe and autorun.inf in the root of every drive, or sysload3.exe dropped to SYSTEM32 folder. Sysadmins can monitor their outgoing email to spot this. Mails sent to addresses like 578392461@qq.com, 47823@qq.com or 3876195@qq.com would indicate an infection.

»www.f-secure.com/weblog/

»www.f-secure.com/v-descs/agent_bky.shtml
»www.cisrt.org/enblog/read.php?68
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18101860 Sun, 01 Apr 2007 21:44:24 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18101824 Cudni : Thanks for ZERT article. I tried poc page, with no patch installed, using both IE7 and FF and no crash with either. Both time displayed
"you do not appear to be vulnerable to the ie ani cursor exploit ..."

Cudni
--
Some are born to failure, others achieve it, all deserve it.
Help yourself so God can help you.
MVP, Microsoft Windows Security 2006-2007]]> http://www.dslreports.com/forum/remark,18101824 Sun, 01 Apr 2007 21:37:02 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18101764 Mele20 : Larry Seltzer has an interesting piece on the ANI attacks:

"I don't often get this mad at a vendor. I'm usually more inclined to feel sorry for them for all the grief they'll take when they screw up, but Microsoft deserves massive grief from this. Like the WMF bug, this is likely to be an endemic attack for years to come, lurking around the background of the Internet, and it needn't have happened."

I agree.

»www.eweek.com/article2/0,1895,2110151,00.asp
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18101764 Sun, 01 Apr 2007 21:26:19 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18101749 Just Bob : Our gentle readers may run across two different forms of the link.
»isotf.org/zert/advisories/zert-2007-01.htm
The download works from this link.

»zert.isotf.org/advisories/zert-2007-01.htm
The download doesn't work from here; 404 error.

The second link is a mirror:
»isotf.org/zert/advisories/zert-2007-01.htm
04/01/07 20:57:09 dns isotf.org
Canonical name: isotf.org
Addresses:
209.151.108.139

»zert.isotf.org/advisories/zert-2007-01.htm
04/01/07 20:56:43 dns zert.isotf.org
Canonical name: zmirror.isotf.org
Aliases:
zert.isotf.org
Addresses:
209.151.108.133]]> http://www.dslreports.com/forum/remark,18101749 Sun, 01 Apr 2007 21:24:07 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18101574 Mele20 : ZERT has just issued a patch that, unlike the eEye one, addresses the core of the vulnerability. A POC is also provided to see if the patch has been installed properly and is working. GRC Security NewsGroup notes that the patch is not completely stable.

ZERT also explains that this exploit is a result of someone taking advantage of Microsoft's sloppiness when they fixed the earlier ANI exploit MS05-002. Sigh. Will Microsoft ever get serious about security so this sort thing doesn't keep happening?

From ZERT:

"The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the "anih" chunk—giving an attacker an easy route to overflow the stack and gain control of the execution of the process.

With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two "anih" chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered."

»isotf.org/zert/advisories/zert-2007-01.htm

For W98 users it should be noted that this patch WORKS ON W98.

--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18101574 Sun, 01 Apr 2007 20:48:31 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18101035 NICK ADSL UK : Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
Published: March 31, 2007

Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

Revisions:

• March 29, 2007: Advisory published

• March 29, 2007: Advisory revised to add additional information regarding Outlook 2007 in the Mitigations Section. The Workarounds Section also updated to clarify impact and use of plain text email on Windows Mail and Outlook Express

• March 31, 2007: Advisory revised to add additional information regarding Windows 2003 Service Pack 2, Microsoft Windows Server 2003 with SP2 for Itanium-based Systems, and Microsoft Windows Server 2003 x64 Edition Service Pack 2 in the “Related Software” section.

»www.microsoft.com/technet/securi···423.mspx
--
Wilders Security Forum Admin
Microsoft MVP-Windows Security

]]> http://www.dslreports.com/forum/remark,18101035 Sun, 01 Apr 2007 18:58:43 EDT Microsoft has its priorities well placed ... http://www.dslreports.com/forum/remark,18097219 EGeezer :
said by Mele20 See Profile :

I have always read my incoming email in OE in Plain Text. That has been excellent protection until this. Alexander Sotirov from Determina recommends reading ALL MAIL with Telnet. That is sure going to be fun.
I use a really old version of Mailwasher (2.0.28 beta) to screen, preview and scrub junk while it's on my ISP's POP server. It's been quite effective and requires minimal effort.

What really gripes me is that Microsoft has not issued a fix for this, but I just saw the second non-patch Tuesday WGA update notification. MS didn't wait for patch Tuesday to issue these "high priority updates".

[sarcasm]
But I'm sure that WGA updates must be a more meaningful priority for users than these insignificant little security holes. But at least I know if my systems become infected, they'll be using "genuine copies" of a vulnerable OS. :D
[/sarcasm]
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy...]]> http://www.dslreports.com/forum/remark,18097219 Sat, 31 Mar 2007 23:41:13 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18097212 Mele20 : OK. I see what you are saying. Thanks.

I was just going on what someone said on the GRC Newsgroup. But doing it to link directly to the file was ok in the sense that I was able to download it and and demonstrate that Explorer does crash when it gets anywhere near the location of that file.]]> http://www.dslreports.com/forum/remark,18097212 Sat, 31 Mar 2007 23:38:34 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18097193 Name Game :
said by swhx7 See Profile :

On the Javascript question: It's not important, but Argle Bargle I believe you misread the article. JS was used for redirection according to the sentence in one paragraph quoting Andreas Marx, and other later mentions of Javascript either refer to the redirection or to previous attacks. It is written unclearly.

But the important point is, Javascript is not necessary to the attack. And therefore, turning off Javascript will not protect against it. You can see this in the code sample in my post, and from the samples in the Gecko documentation page, and in the proof of concept page which Mele linked to: in each case, all it takes is CSS lines to deliver the malicious file.

It's true that Javascript could be used to enhance an attack, for example by redirection, by using JS to write out CSS lines, or in some other way, but it's not really an issue here.

Credit to Modemhead for pointing out the Gecko documentation page. It confirms that Mozilla browsers won't cause execution of the malicious files, unless maybe in very recent versions if that page is outdated. But my version of Seamonkey is current and it did not respond to an .ani file, as I recounted above.
Name : Exploit:W32/Ani.C
Alias: TROJ_ANICMOO.AX, Trojan-Downloader.Win32.Ani.g, Exploit:W32/Ani.D, Troj/Animoo-U, Exploit-ANIfile.c trojan, Exploit:W32/Ani.E
Size: Random
Type: Trojan-Downloader, Exploit
Category: Malware
Platform: W32
Date of Discovery: March 29, 2007
Radar




Summary
Exploit:W32/Ani.C is a trojan that exploits a vulnerability in Windows animated cursor handling, .ANI files, in order to download and install other Malware to the system.



Detailed Description
Ani.C is a trojan that takes advantage of a Vulnerability in Windows Animated Cursor Handling (Security Advisory 935423), in order to download other malicious files from the Internet.

These malicious animated cursor (.ANI) files can be hosted on websites and can trigger code execution upon visiting such sites. They can also be embedded in specially crafted e-mails or attachments within the e-mail that upon reading or previewing can cause the system to execute the code.

This trojan was seen hosted at the following site:

ht tp://newasp.com.cn/[REMOVED].jpg

Other sites found also links or loads the malicious .ANI file:

ht tp://newasp.com.cn/[removed].htm
ht tp://bc0.cn/[removed].js

Upon successful execution, this trojan may download other malware via the Internet and execute it on the system. Below are the download sites used:

ht tp://newasp.com.cn/[removed].exe - Trojan-PSW:W32/Agent.IM
ht tp://61.218.38.35/images/[removed].exe -
Trojan-Downloader:Win32/Tiny.GG
ht tp://220.71.76.xxx/wincf.exe - Trojan-Downloader:W32/Small.EKV

»www.f-secure.com/v-descs/exploit···_c.shtml
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18097193 Sat, 31 Mar 2007 23:33:25 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18097180 swhx7 : You weren't doing it wrong. The POC page is hxxp://sicotik.com/ink/test.html. This is a regular HTML page except that it has a CSS statement specifying the .ani file. This is the way the exploit would normally work. The result should be nothing but a regular page on Firefox. With IE the expected result will vary depending on IE version, Windows version, service pack and hardware.

If you substitute .ani for .html then you're just linking to the .ani file directly instead of letting the browser get it when instructed to by the page. Being a binary it will just display as junk on Firefox; but IE will offer to download and run it.

Edit: Readers, don't use that link if you don't know what you're doing. It's not malicious, but it might crash some programs. If you're just wanting to know how to avoid infection, use Firefox instead of IE until Microsoft puts out a patch and you've installed it, and avoid Microsoft email programs.]]> http://www.dslreports.com/forum/remark,18097180 Sat, 31 Mar 2007 23:30:35 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18097044 Mele20 : The POC mentioned in »Re: Microsoft Security Advisory (935423) Vulnerability in Window

I was doing it wrong. You have to leave off the .html and add .ani instead. When I did that, Fx gave me a page with a bunch of question marks, some text and some gibberish.

When I tried it on IE, it promptly offered to download an animated cursor file. I downloaded it to disk and saved it in my Downloaded Programs folder. I then tried to use Explorer to navigate to the file which I intended to scan with Avira. I couldn't even get into that folder before Explorer crashed. I have Hardware DEP on Opt Out so it looks to me that DEP is not a protection.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18097044 Sat, 31 Mar 2007 23:01:24 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096983 swhx7 : On the Javascript question: It's not important, but Argle Bargle I believe you misread the article. JS was used for redirection according to the sentence in one paragraph quoting Andreas Marx, and other later mentions of Javascript either refer to the redirection or to previous attacks. It is written unclearly.

But the important point is, Javascript is not necessary to the attack. And therefore, turning off Javascript will not protect against it. You can see this in the code sample in my post, and from the samples in the Gecko documentation page, and in the proof of concept page which Mele linked to: in each case, all it takes is CSS lines to deliver the malicious file.

It's true that Javascript could be used to enhance an attack, for example by redirection, by using JS to write out CSS lines, or in some other way, but it's not really an issue here.

Credit to Modemhead for pointing out the Gecko documentation page. It confirms that Mozilla browsers won't cause execution of the malicious files, unless maybe in very recent versions if that page is outdated. But my version of Seamonkey is current and it did not respond to an .ani file, as I recounted above.]]> http://www.dslreports.com/forum/remark,18096983 Sat, 31 Mar 2007 22:48:06 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096935 Kiwi : It's a Trojan. I would like to get a link though, but not something that would infect others; meaning leave the http out.

I don't have a problem going to bad sites, though that's not my normal habit. My habits are simple. Based on research, I don't go to marginal sites; sometimes it becomes necessary :D]]> http://www.dslreports.com/forum/remark,18096935 Sat, 31 Mar 2007 22:37:22 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096861 Mele20 : I don't think that Websense would provide a link to an infected site. If they did and Fx turns out to be vulnerable then I guess I got infected (as I have not applied the temporary patch).

Yes, it is a TROJAN, but there is a WORM now also that is playing off the TROJAN. Maybe I am just not explaining it well.]]> http://www.dslreports.com/forum/remark,18096861 Sat, 31 Mar 2007 22:21:02 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096793 Kiwi : It's a trojan. No matter the alternate flavours of site reference. OK, someone link an actual site; without the http [So others don't get infected].

I happily took care of worms and virus activity on the fly; until it was no longer fun [Large numbers]. I still don't have a complete grip on root kits, but I do on Trojans, malware, spyware and viruses.

The bottom line is this is no more extreme than anything else. Provided locked sites are not involved, I still don't have a real problem with this threat.

On the whole this is still a surfing habit issue.]]> http://www.dslreports.com/forum/remark,18096793 Sat, 31 Mar 2007 22:08:41 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096703 bettywont : Name Game and all thanks

If anyone applied the patch does it show up in the ''ADD/REMOVE'' Where exactly does it show up, please!!]]> http://www.dslreports.com/forum/remark,18096703 Sat, 31 Mar 2007 21:51:17 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096515 Mele20 : No, I am talking about the new WORM not the Trojan that the Chinese Internet Security Response Team is saying is being seen in China. I gave the link to the CISRT site but for those suspicious of it, I got the link both from GRC News groups and from »www.websense.com/securitylabs/al···rtID=763]]> http://www.dslreports.com/forum/remark,18096515 Sat, 31 Mar 2007 21:13:44 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096472 anon : \"Kaspersky protects against it. I haven\'t heard about any other AV vendors protecting yet.\"

Is this what you are talking about?
»www.symantec.com/security_respon···-3019-99]]> http://www.dslreports.com/forum/remark,18096472 Sat, 31 Mar 2007 21:06:23 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096432 Name Game :
said by Mele20 See Profile :

Did yu forget a smilie?

I'm sure you have heard of Eset (NOD32) and we all know about Norton! So, that was meant as a sarcastic reply?
I think they are all working on the ones they can find.. :D :D..but so far it really seems to be a no show..and a few duds.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18096432 Sat, 31 Mar 2007 20:58:42 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096385 Kiwi :
said by Mele20 See Profile :

Did yu forget a smilie?

I'm sure you have heard of Eset (NOD32) and we all know about Norton! So, that was meant as a sarcastic reply?
I don't know the site you linked, but there is no worm code there, it's all trojan based MD5 hash. Not sure I would venture out of known waters ;)]]> http://www.dslreports.com/forum/remark,18096385 Sat, 31 Mar 2007 20:51:48 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096345 Mele20 : Did yu forget a smilie?

I'm sure you have heard of Eset (NOD32) and we all know about Norton! So, that was meant as a sarcastic reply?]]> http://www.dslreports.com/forum/remark,18096345 Sat, 31 Mar 2007 20:44:53 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096329 Mele20 : Thee is a worm now propogating from China using the exploit code.

Kaspersky protects against it. I haven't heard about any other AV vendors protecting yet.

»www.cisrt.org/enblog/read.php?68.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18096329 Sat, 31 Mar 2007 20:42:47 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096302 Name Game :
said by Mele20 See Profile :

Eset has been detecting since Friday morning. Eset has a blog on the exploit.

»eset.com/threat-center/blog/

The list of AV protecting at SANS is NOT up to date. Symantec has been protecting since yesterday and has an Advisory out.
Never heard of those companies..but I know Microsoft is detecting the animated curser.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/
]]> http://www.dslreports.com/forum/remark,18096302 Sat, 31 Mar 2007 20:38:14 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096215 Mele20 : Eset has been detecting since Friday morning. Eset has a blog on the exploit.

»eset.com/threat-center/blog/

The list of AV protecting at SANS is NOT up to date. Symantec has been protecting since yesterday and has an Advisory out.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18096215 Sat, 31 Mar 2007 20:23:37 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096196 Kiwi : Ah, confirmed Trojan :D]]> http://www.dslreports.com/forum/remark,18096196 Sat, 31 Mar 2007 20:19:29 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096164 Name Game :
said by bettywont See Profile :

Could you please list the 7 companies or provide a link so we can have some piece of mind or mental illness.
Thanks
yes

first two links will give you the names and write up of the two badboys detected..

»www.f-secure.com/v-descs/exploit···_c.shtml

»www.f-secure.com/v-descs/trojan-···kv.shtml

AND SANS is the place to monitor that will keep you abreast of those products which seems to detect what is out there.

Windows Animated Cursor Handling vulnerability - CVE-2007-0038
Published: 2007-03-29,
Last Updated: 2007-03-31 11:36:34 UTC
by Maarten Van Horenbeeck (Version: 14)

Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. One specific file was also discovered by a product triggering on a signature written for MS05-002, a similar vulnerability from 2005. This will not apply to most exploits in the wild.
»isc.sans.org/diary.html?storyid=···84c25591
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18096164 Sat, 31 Mar 2007 20:14:49 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096158 NICK ADSL UK : And from Microsoft's Christopher Budd
»blogs.technet.com/msrc/archive/2···423.aspx]]> http://www.dslreports.com/forum/remark,18096158 Sat, 31 Mar 2007 20:14:10 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096135 Kiwi : To retain some sanity :D Avoid MySpace, use an email client other than outlook (Nobody learns). Disable Java & ActiveX, as most pre VISTA folks do. Check your Reg files on occasion for unsupported changes. Next relax, this to will pass. To date I have not seen any migration into secure sites and that's my only real concern.

[Edit] Stack overflow is how 98% of these work.

Still don't get hard hat foils out until some damage is done from respected folks who know how to secure a rig. Granted, most visiting here have a clue and the general public won't. Net Habits, folks, habits.....]]> http://www.dslreports.com/forum/remark,18096135 Sat, 31 Mar 2007 20:10:06 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096131 NICK ADSL UK : Determina Security Research
»www.determina.com/security.resea···der.html]]> http://www.dslreports.com/forum/remark,18096131 Sat, 31 Mar 2007 20:09:13 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096129 Mele20 : Exploit code here:

»seclists.org/fulldisclosure/2007···563.html

Doesn't work if DEP is on for Explorer.

POC is here:

»seclists.org/fulldisclosure/2007···569.html

When I go to that POC on IE6 on XP Pro SP2, IE immediately crashes.

When go on Fx 1.5.0.11, I get this WHEN USING THE PROXOMITRON WITH SIDKI'S FILTERS:

Microsoft Windows .ANI 0DAY Exploit
Copyright (c) 2007 devcode
• JS Alert: Boo

If I go to to the POC on Fx, WITH PROXO DISABLED, Fx appears to be vulnerable! Or am I misinterpreting this? I do not use an extension to turn off scripting in Fx because I feel the Proxomitron will protect in that area as it has done in this instance.

EDIT: I tried the POC again on Fx with Proxo enabled and now I am getting the same thing I have shown in the screenshot. Orginally, with Proxo running, I only got a plain text alert in the upper left corner of the screen about the javascript. Now I am seeing the popup with Boo in it. I'm not sure what this signifies in regards to Fx vulnerability. Maybe nothing because Fx doesn't crash at POC like IE does? Maybe I need to close and reopen Fx to get an accurate test? I have too many tabs open to do that!
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/
Click for full size
]]> http://www.dslreports.com/forum/remark,18096129 Sat, 31 Mar 2007 20:08:55 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18096061 bettywont : Could you please list the 7 companies or provide a link so we can have some piece of mind or mental illness.
Thanks]]> http://www.dslreports.com/forum/remark,18096061 Sat, 31 Mar 2007 19:54:43 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18095984 Mele20 : I use Avira free version and I am not a happy camper at the moment. I posted about this at the Avira forums yesterday as Avira is one of the FEW AV not currently protecting. A mod asked me what the big deal was and my post was moved to the most obscure forum there. I then posted a lot of research on this exploit and asked if my post was moved because Avira was ashamed of dropping the ball on this one. That got my posts moved to a more relevant forum but the mod commented that since Avira personnel mostly don't work on weekends probably there will be no update for this until Monday. :(

I am also re-evaluating my use of Avira free because it doesn't have an email scanner. I have always avoided using an email scanner on Outlook Express because of Microsoft's admonishment to not do so due to the fragility of the OE database store. However, if my AV had an email scanner, I would certainly turn it on in a situation such as this one. I always read email in Plain Text but that, in this case, is LESS protective than using HTML.

I guess I should install the eEye patch which I have, but have been reluctant to install it as the last time I installed a third party patch it worked fine but then when MS issued a patch, the one I had would not uninstall properly.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18095984 Sat, 31 Mar 2007 19:42:41 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18095885 Kiwi : May not as it seems Trojan based.]]> http://www.dslreports.com/forum/remark,18095885 Sat, 31 Mar 2007 19:21:33 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18095872 Name Game : More vulnerabilities, ANI-one?
»www.f-secure.com/weblog/archives···00001154

Update on ANI Exploit
»www.f-secure.com/weblog/archives···00001156
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18095872 Sat, 31 Mar 2007 19:19:09 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18095812 Mele20 : The Internet Storm Center (SANS Institute) has just raised the INternet threat level to YELLOW because of this exploit:

"*ANI exploit code drives INFOCon to Yellow
Published: 2007-03-31,
Last Updated: 2007-03-31 14:31:15 UTC
by Kevin Liston (Version: 1)
The ANI vulnerability has been been of recent concern. I've been waiting for a few key events to be confirmed before adjusting the INFOCon. We don't take these decisions lightly.

Rating systems such as Symantec's ThreatCon (currently at 2 of 4,) FS/ISAC's Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) all have their particular niche. Symantec focuses on their AV and managed-security-service customers. FS/ISAC focuses on financial institutions. The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity."

In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level. Now, we have a different landscape.

* Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
* The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting.
* The number of compromised sites pointing to malicious sites is also on the rise.

Recommendations:

* Keep anti-virus up-to-date. So far this is the most effective layer, particularly generic signatures that detect non-compliant ANI files. Also, the secondary payloads downloaded by these exploits are often detectable (not always though.)
* Content-filtering. If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed. This will impact your myspace.com browsing experience though.

We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 UTC)"

»isc.sans.org/diary.html?storyid=2542

My AV does not protect against this. :(
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18095812 Sat, 31 Mar 2007 19:05:36 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18095179 aka Iceman :

Some comments and prevention tips from CERT:

copy & paste

* Configure Outlook to display messages in plain text

An attacker may be able to exploit this vulnerability by convincing a user to display a specially crafted HTML email. This can happen automatically if the preview pane is enabled in your mail client. Configuring Outlook to display email in plain text can help prevent exploitation of this vulnerability through email. Consider the security of fellow Internet users and send email in plain text format when possible.
Note: The Outlook Express option for displaying messages in plain text will not prevent exploitation of this vulnerability. This workaround is only viable for systems with Microsoft Outlook
------------------

* Disable email preview pane

By disabling the preview pane in your mail client, incoming email messages will not be automatically rendered. This can help prevent exploitation of this vulnerability.

-------------------

* Configure Windows Explorer to use Windows Classic Folders

When Windows Explorer is configured to use the "Show common tasks in folders" option, HTML within a file may be processed when that file is selected. If the "Show common tasks in folders" is enabled, selecting a specially crafted HTML document in Windows Explorer may trigger this vulnerability. Note that the "Show common tasks in folders" is enabled by default. To mitigate this attack vector, enable the "Use Windows classic folders" option. To enable this option in Windows Explorer:

Open Windows Explorer
Select Folder Options from the Tools menu
Select the "Use Windows classic folders" option in the Tasks section

--------------------------

see: »www.kb.cert.org/vuls/id/191609

]]> http://www.dslreports.com/forum/remark,18095179 Sat, 31 Mar 2007 16:30:54 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094848 javaMan :
said by AB See Profile :

What on Earth is your point here, javaMan?
Hopefully something beyond simply being a defender of, and apologist for, javascript.
I've noted that javascripting seems to be crucial to the employment of this vulnerability, nothing more. So . . .??

And you might want to change those tags and dump the shotguns before picking up the kids, btw. ;)
Sorry, I thought I was being clear. First, JavaScript doesn't seem to be crucial in this case but can be utilized to deliver the exploit, yes. But my point is that a tool is benign (assuming there is no flaw in the tool), it is how the tool is used that matters. It may certainly be beneficial to secure a browser by not allowing just any script to run willy-nilly since one will not always know which script is bad and which is not. But I hope you would agree that most scripts are not bad. Therefore, it is a mistake to condemn the technology because it can be used to do bad things.

Edit: To further clarify, this vulnerability lies outside the scope of JavaScript. In other words, the script will do what is legitimate and legal, it is a weakness in Windows that causes the problem. If that problem didn't exist, the script would be harmless.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20]]> http://www.dslreports.com/forum/remark,18094848 Sat, 31 Mar 2007 15:13:43 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094701 Kiwi :
said by AB See Profile :

What on Earth is your point here, javaMan?
Hopefully something beyond simply being a defender of, and apologist for, javascript.
I've noted that javascripting seems to be crucial to the employment of this vulnerability, nothing more. So . . .??

And you might want to change those tags and dump the shotguns before picking up the kids, btw. ;)
There are many script types out there, Java seems to be targeted more frequently than even ActiveX. Java was a worthy scripting alternative, a bit LARGE; but workable. That's how the bad guys got in on the game, frivolous [huge] sized scripts. Meaning they could hide small C++ in the corners of Java.]]> http://www.dslreports.com/forum/remark,18094701 Sat, 31 Mar 2007 14:36:29 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094672 AB :
said by javaMan See Profile :

said by AB See Profile :

said by javaMan See Profile :

The distinction he was making, I believe, is that vulnerabilities exist that JavaScript is used to exploit. In other words, it is not a vulnerability in JavaScript that is exploitable. From practical standpoint the end result is the same I suppose but it seems unreasonable to blame the automobile when the bank robbers get away.
I'm not blaming the automobile. I'm saying javascript seems to be integral to the execution of this malware, as it often is.
I don't care about semantics, the bottom line is my concern.
The bottom line is that I prefer not to be infected.
In the sense that blame should be placed for the current problem, it isn't semantics at all. JavaScript is just a tool like the automobile and it works as it's supposed to. That it can be used to do bad things is not the fault of the tool any more than the automobile. It is not a surprise that JavaScript--or a similar tool-- would be used in a web based attack. In fact, I would be surprised if it weren't; what else would a web based attack use but a web based tool? I also expect a bank robber to use a car but the same car can be used to pick my kids up after school. The problem here is apparently within the Windows API, not JavaScript.
What on Earth is your point here, javaMan?
Hopefully something beyond simply being a defender of, and apologist for, javascript.
I've noted that javascripting seems to be crucial to the employment of this vulnerability, nothing more. So . . .??

And you might want to change those tags and dump the shotguns before picking up the kids, btw. ;)]]> http://www.dslreports.com/forum/remark,18094672 Sat, 31 Mar 2007 14:28:32 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094640 javaMan :
said by AB See Profile :

said by javaMan See Profile :

The distinction he was making, I believe, is that vulnerabilities exist that JavaScript is used to exploit. In other words, it is not a vulnerability in JavaScript that is exploitable. From practical standpoint the end result is the same I suppose but it seems unreasonable to blame the automobile when the bank robbers get away.
I'm not blaming the automobile. I'm saying javascript seems to be integral to the execution of this malware, as it often is.
I don't care about semantics, the bottom line is my concern.
The bottom line is that I prefer not to be infected.
In the sense that blame should be placed for the current problem, it isn't semantics at all. JavaScript is just a tool like the automobile and it works as it's supposed to. That it can be used to do bad things is not the fault of the tool any more than the automobile. It is not a surprise that JavaScript--or a similar tool-- would be used in a web based attack. In fact, I would be surprised if it weren't; what else would a web based attack use but a web based tool? I also expect a bank robber to use a car but the same car can be used to pick my kids up after school. The problem here is apparently within the Windows API, not JavaScript.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20]]> http://www.dslreports.com/forum/remark,18094640 Sat, 31 Mar 2007 14:18:33 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094620 Name Game : I love it when every AV house expert claims they have the skills to squeeze one off with a little extra effort that Microsoft will never hear but everyone will smell...but I am really waiting for the surgeons to come in and go to work. ;)
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18094620 Sat, 31 Mar 2007 14:13:25 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094606 Kiwi : I have not read all responses, but this appears like a Java based exploit. Interesting.

[Edit]
This seems more Trojan based, than either a virus or worm. The Java aspect seems related to an indirect ASPI hook.]]> http://www.dslreports.com/forum/remark,18094606 Sat, 31 Mar 2007 14:10:56 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094571 Name Game : "Because simply previewing an HTML e-mail message can result in an infection, Microsoft also provided additional details late yesterday on which of its e-mail clients are safest to use. According to Adrian Stone, an MSRC program manager, Outlook 2007 is invulnerable, as is Vista's Windows Mail -- as long as users don't reply or forward the attacker's messages. The SANS Institute's testing, however, contradicted Microsoft; by SANS' account, Outlook Express in Windows XP, Windows Mail in Vista, and Outlook 2003 in any version of Windows puts users at risk when they simply preview a malicious message. They don't have to actually open the message to be in danger of an infection.

In-the-wild attacks, said Dunham, have been limited so far to those against Windows XP SP2 through Microsoft's Internet Explorer 6 and 7 (IE6 and IE7) browsers. But that won't likely remain the case for long. "Our tests prove that trivial modification is all that's required to update the payload and functionality on multiple operating system builds," he said.

And while Microsoft yesterday said Vista's version of IE7 protects users, eEye's Brown added that browser-based attacks aren't the only game in town. "I get the PR [public relations] angle they're going down, but there are all sorts of ways this can come in, including HTML e-mail. Vista's not immune."

»www.computerworld.com/action/art···=9015138
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18094571 Sat, 31 Mar 2007 14:00:25 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094533 AB :
said by javaMan See Profile :

The distinction he was making, I believe, is that vulnerabilities exist that JavaScript is used to exploit. In other words, it is not a vulnerability in JavaScript that is exploitable. From practical standpoint the end result is the same I suppose but it seems unreasonable to blame the automobile when the bank robbers get away.
I'm not blaming the automobile. I'm saying javascript seems to be integral to the execution of this malware, as it often is.
I don't care about semantics, the bottom line is my concern.
The bottom line is that I prefer not to be infected.]]> http://www.dslreports.com/forum/remark,18094533 Sat, 31 Mar 2007 13:49:58 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094493 Name Game : Usage note Mitigate, whose central meaning is “to lessen” or “make less severe,” is sometimes confused with militate, “to have effect or influence,” in the phrase mitigate against: This criticism in no way militates (not mitigates) against your going ahead with your research. Although this use of mitigate occasionally occurs in edited writing, it is rare and is widely regarded as an error.

not mitigate (make less severe) attempts to exploit

can mitigate (make less severe) the risk

maybe attempts to exploit is not considered to be a risk in plain text.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,18094493 Sat, 31 Mar 2007 13:39:13 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094492 javaMan :
said by AB See Profile :

From the Security Focus article:

"The JavaScript code had previously used known vulnerabilities to exploit the systems of visitors to various Web sites, including the site for Super Bowl venue Dolphin Stadium, but have now transitioned over to using a vulnerability that has not been patched, Marx said.

Other security researchers have found a greater number of pages apparently hosting the file. A search of Google returns more than 113,000 pages with the JavaScript attack on it, according to a blog post by McAfee researcher Craig Schmugar." (Bolding mine.)

Sounds to me like javascript is involved here by more than just browser re-direction. As is often the case for web-based malware.
For me, the question is still is this just another garden-variety exploit being over-hyped (most likely), or truly something to be seriously concerned about?
A second question would be that since this is an old and known vulnerability, why didn't Microsoft patch this long ago?
Maybe they'll just recommend that everyone move to Vista and enable 'Protected Mode'.
The distinction he was making, I believe, is that vulnerabilities exist that JavaScript is used to exploit. In other words, it is not a vulnerability in JavaScript that is exploitable. From practical standpoint the end result is the same I suppose but it seems unreasonable to blame the automobile when the bank robbers get away.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20]]> http://www.dslreports.com/forum/remark,18094492 Sat, 31 Mar 2007 13:39:02 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094396 rhatsaruck : vircotto, Symantec has not addressed my issue. They do not explain how to determine if one has been infected.

In addition, the Symantec info you quoted

Outlook Express 6 Service Pack 1 or later can mitigate the risk of being compromised via an email with a malicious animated cursor by reading email messages in plain text format.

contradicts Microsoft's info. Microsoft claims

Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability.
]]> http://www.dslreports.com/forum/remark,18094396 Sat, 31 Mar 2007 13:09:17 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094350 AB :
said by ModemHead See Profile :

Regardless of whether Javascript is required to drop the malware or not, a reading of the Gecko documentation indicates to me that Gecko-based browsers are not going to be vulnerable because animated cursors are not supported.
Works for me. I use a Gecko-based browser. Thanks for the link. :)]]> http://www.dslreports.com/forum/remark,18094350 Sat, 31 Mar 2007 12:55:50 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094335 vircotto : Symantec has now addressed this.

»www.symantec.com/outbreak/animat···ity.html

...
Users of Outlook 2002 (or later) or Outlook Express 6 Service Pack 1 or later can mitigate the risk of being compromised via an email with a malicious animated cursor by reading email messages in plain text format.

Symantec Security Response has released virus definition signatures that will detect threats that attempt to exploit this vulnerability. These threats will be detected as Bloodhound.Exploit.131. Certified virus definitions dated March 30, 2007 or later contain this detection.
]]> http://www.dslreports.com/forum/remark,18094335 Sat, 31 Mar 2007 12:51:38 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094294 ModemHead : Regardless of whether Javascript is required to drop the malware or not, a reading of the Gecko documentation indicates to me that Gecko-based browsers are not going to be vulnerable because animated cursors are not supported.

See Using URL values for the cursor property, esp. the section titled "Limitations" and "Compatibility with other browsers".]]> http://www.dslreports.com/forum/remark,18094294 Sat, 31 Mar 2007 12:42:45 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18094132 AB :
said by swhx7 See Profile :

said by AB See Profile :

said by Cudni See Profile :

from
»www.securityfocus.com/brief/473
Aha! Javascript is most definitely heavily involved.
What that article says about Javascript is only that it's used to redirect the browser to another page where the .ani file is hosted. This is not crucial to the exploit; you could go to an infected site in the first place instead of being redirected. JS is not needed to make a browser download an .ani file.

Finally here is what amounts to a safe POC page.
»www.gdgsoft.com/anituner/help/SavingCur.htm
It explains that .ani files are delivered with code like this:

<style>
<!--
BODY{ cursor:url("mycur.ani"); }
-->
</style>
And it contains a link, just like the above, to an actual .ani file which apparently is an animated dinosaur. However, for me there was no animation, and no change in the cursor. This was with Seamonkey 1.x with Javascript off. I then turned on Javascript, and got the same result: nothing. Also I downloaded the .ani file and double-clicked it, and the dialog came up asking which program to open it with. This is on Windows 2000 SP4 with a lot of things turned off, including various services and shell dlls ,etc.. Your mileage may vary.
From the Security Focus article:

"The JavaScript code had previously used known vulnerabilities to exploit the systems of visitors to various Web sites, including the site for Super Bowl venue Dolphin Stadium, but have now transitioned over to using a vulnerability that has not been patched, Marx said.

Other security researchers have found a greater number of pages apparently hosting the file. A search of Google returns more than 113,000 pages with the JavaScript attack on it, according to a blog post by McAfee researcher Craig Schmugar." (Bolding mine.)

Sounds to me like javascript is involved here by more than just browser re-direction. As is often the case for web-based malware.
For me, the question is still is this just another garden-variety exploit being over-hyped (most likely), or truly something to be seriously concerned about?
A second question would be that since this is an old and known vulnerability, why didn't Microsoft patch this long ago?
Maybe they'll just recommend that everyone move to Vista and enable 'Protected Mode'.]]> http://www.dslreports.com/forum/remark,18094132 Sat, 31 Mar 2007 12:09:52 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18093986 rhatsaruck : Has any firm explained how to determine if you are already infected? The Microsoft advisory is silent on this matter as is Symantec, my AV vendor.]]> http://www.dslreports.com/forum/remark,18093986 Sat, 31 Mar 2007 11:38:23 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18093351 Mele20 : I'm curious why you didn't install their patch instead?

What AV do you have? Most are protecting against it now..but not mine and it is ironic because Avira adds more definitions than anyone just about. :(]]> http://www.dslreports.com/forum/remark,18093351 Sat, 31 Mar 2007 08:38:38 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18093229 daveinpoway : I installed Blink Neighborhood Watch from eEye yesterday; they claim this will protect my PC from this problem, but I haven't found any test site to verify if I am indeed protected or not. Since I am using Zone Alarm Pro, I disabled both firewalls in BNW; hopefully, the protection against this malware is still present without BNW's firewalls, but who knows for sure?]]> http://www.dslreports.com/forum/remark,18093229 Sat, 31 Mar 2007 07:14:55 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18093174 matunga : »securitytracker.com/alerts/2007/···827.html

This can be exploited via various methods, including HTML and e-mail and is not limited to files with a '.ani' file extension.

This can be exploited via various applications that use the vulnerable Windows functions, including Microsoft Internet Explorer, Windows Explorer, Mozilla Firefox, and Microsoft Outlook.

Users with Internet Explorer 7 running in Protected Mode on Windows Vista are not affected.]]> http://www.dslreports.com/forum/remark,18093174 Sat, 31 Mar 2007 06:08:13 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18093102 swhx7 : Update:

.ani files are interpreted by user32.dll ( »research.eeye.com/html/alerts/ze···328.html ), and it also does a bunch of other things in Windows, so unregistering it would not be an option.

The above page also links to a 3rd party patch.

Note: .ani files can be renamed to .jpg or .jpeg and still be effective in this attack.

said by AB See Profile :

said by Cudni See Profile :

from
»www.securityfocus.com/brief/473
Aha! Javascript is most definitely heavily involved.
What that article says about Javascript is only that it's used to redirect the browser to another page where the .ani file is hosted. This is not crucial to the exploit; you could go to an infected site in the first place instead of being redirected. JS is not needed to make a browser download an .ani file.

Finally here is what amounts to a safe POC page.
»www.gdgsoft.com/anituner/help/SavingCur.htm
It explains that .ani files are delivered with code like this:

<style>
<!--
BODY{ cursor:url("mycur.ani"); }
-->
</style>
And it contains a link, just like the above, to an actual .ani file which apparently is an animated dinosaur. However, for me there was no animation, and no change in the cursor. This was with Seamonkey 1.x with Javascript off. I then turned on Javascript, and got the same result: nothing. Also I downloaded the .ani file and double-clicked it, and the dialog came up asking which program to open it with. This is on Windows 2000 SP4 with a lot of things turned off, including various services and shell dlls ,etc.. Your mileage may vary.]]> http://www.dslreports.com/forum/remark,18093102 Sat, 31 Mar 2007 04:33:43 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18093060 Mele20 : McAfee says Firefox 2.0 is not vulnerable. Many are still using 1.5 and without a POC we can't know if it is or is not vulnerable. Probably not but McAfee may not be right as other security experts say that Fx is vulnerable under some circumstances.

I don't like any other email client. OE is the only email client I have used that I really like. ]]> http://www.dslreports.com/forum/remark,18093060 Sat, 31 Mar 2007 03:44:44 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18093028 swhx7 : Microsoft has known about this since 2006.12, and published an advisory only when exploits were reported. »blogs.zdnet.com/security/?p=143

McAfee says Firefox is not vulnerable. »www.avertlabs.com/research/blog/?p=230

I haven't confirmed it, but I suspect that .ani files are run by one of those shell handler things in Windows. I wonder whether a workaround could be as simple as disabling whatever it is in Windows that runs .ani files.

I would be surprised if Firefox downloads .ani files without warning and calls the relevant handler. If anyone reading this has ever seen a Mozilla browser load up and use an animated cursor without asking permission, or if anyone has seen a proof of concept page so we can test it, please post.

Microsoft email software is an infection vector because it uses the IE pieces for interpreting HTML. Use an email client that doesn't rely on IE and you're ok.]]> http://www.dslreports.com/forum/remark,18093028 Sat, 31 Mar 2007 03:17:05 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18092279 La Luna :
said by AB See Profile :

said by La Luna See Profile :

. . why would I open an email from an unknown source who might embed one in an email?
Because you may just have won $100,000.00!! Yes, YOU!!
Or some rich guy may have just died and left you a big pile of money, if only you could assist his Nigerian Executor in getting it to you! ;) :D
. . Maybe I'm not understanding the mode of propagation with this. . . .
From what I'm reading, it's an old and quite well known javascripting vulnerability.
The new wrinkle seems to be in having .ani files carry out the dirty work.
As best I can make of it. But I could be wrong.
Oh crap, this is too confusing.....someone get back to me when it's sorted out, lol....

Now, let me go search for the email from that rich old coot..... :D
--
~~Don't wanna' fight in a holy war...World war III when are you coming for me? Been kicking up sparks, we set the flames free...the windows are locked now so what'll it be? A house on fire or a rising sea?...~~

]]> http://www.dslreports.com/forum/remark,18092279 Fri, 30 Mar 2007 22:50:42 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18092249 AB :
said by La Luna See Profile :

. . why would I open an email from an unknown source who might embed one in an email?
Because you may just have won $100,000.00!! Yes, YOU!!
Or some rich guy may have just died and left you a big pile of money, if only you could assist his Nigerian Executor in getting it to you! ;) :D
. . Maybe I'm not understanding the mode of propagation with this. . . .
From what I'm reading, it's an old and quite well known javascripting vulnerability.
The new wrinkle seems to be in having .ani files carry out the dirty work.
As best I can make of it. But I could be wrong.]]> http://www.dslreports.com/forum/remark,18092249 Fri, 30 Mar 2007 22:45:13 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18092187 La Luna : I've never, ever seen an animated ani file in an email? And why would I open an email from an unknown source who might embed one in an email?

I suppose it could be passed on by someone else who foolishly opened something unknown, but still, that's a long shot. I can't think of anyone I email with who would do that.

Maybe I'm not understanding the mode of propagation with this.

Clicking unknowlingly on an infected website seems like it would be more of a problem to me.
--
~~Don't wanna' fight in a holy war...World war III when are you coming for me? Been kicking up sparks, we set the flames free...the windows are locked now so what'll it be? A house on fire or a rising sea?...~~

]]> http://www.dslreports.com/forum/remark,18092187 Fri, 30 Mar 2007 22:26:10 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18091804 Mele20 : All you need to do is use Outlook Express set to Plain Text for reading and then open an email that has embedded ANI files and unless your AV is detecting this, you are infected. If you use default settings for OE then you would get some interactive warning as the email would open in HTML but most folks will ignore the warning and get infected.

»isc.sans.org/diary.html?storyid=···f99022a6
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18091804 Fri, 30 Mar 2007 21:01:29 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18091728 La Luna : Well, this really IS confusing....from Cudni See Profile's link:

The animated-cursor flaw affects all versions of Windows, including Windows Vista, as well as Internet Explorer 6 and 7.

»www.securityfocus.com/brief/473

So what's the deal? You have to visit an infected site or open an email and click on a link that sends you to a site that has these infected cursors on it?
--
~~Don't wanna' fight in a holy war...World war III when are you coming for me? Been kicking up sparks, we set the flames free...the windows are locked now so what'll it be? A house on fire or a rising sea?...~~

]]> http://www.dslreports.com/forum/remark,18091728 Fri, 30 Mar 2007 20:49:09 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18091544 Mele20 : Seven AV companies have issued protection. My AV is not one of them. I also use Outlook Express. DEFAULT settings in OE are somewhat protective in that interaction is required so for those who wouldn't just ignore and click on through there is some protection. For Plain Text readers though they are actually at the MOST RISK of all. ]]> http://www.dslreports.com/forum/remark,18091544 Fri, 30 Mar 2007 20:17:03 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18091090 art22gg : Hi,
There sure seems to be a lot of conflicting stories/confusion going on about this subject.Hopefully the situation will be straightened up with/by someone making a definitive conclusion,about who/what is vulnerable.
MS says per quote--
Mitigating Factors for Animated Cursor Vulnerability


Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.--------This is not "Security Focus" is saying!
Art]]> http://www.dslreports.com/forum/remark,18091090 Fri, 30 Mar 2007 18:50:45 EDT Re: Chinese servers host malicious cursor attacks http://www.dslreports.com/forum/remark,18090953 AB :
said by Cudni See Profile :

from
»www.securityfocus.com/brief/473
Aha! Javascript is most definitely heavily involved. Thank you very much, Cudni! :)
Still sounds pretty severe, but the javascript aspect is hardly anything new.
I'll continue to disallow it as a general rule, and wait for further developments.
Won't be using any animated cursors, either.]]> http://www.dslreports.com/forum/remark,18090953 Fri, 30 Mar 2007 18:21:05 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18090878 jansson_mark : Any POC anywhere?
Id surely like to check if Im vulnerable with Firefox, because these reports dont clearly say yes or no to that...]]> http://www.dslreports.com/forum/remark,18090878 Fri, 30 Mar 2007 18:08:27 EDT Chinese servers host malicious cursor attacks http://www.dslreports.com/forum/remark,18090859 Cudni : from
»www.securityfocus.com/brief/473
"...
A criminal group responsible for using compromised Web sites to spread malicious software have already started using the latest Microsoft flaw to install their code from at least three servers in China, security experts said on Friday.
.."

Cudni
--
Some are born to failure, others achieve it, all deserve it.
Help yourself so God can help you.
MVP, Microsoft Windows Security 2006]]> http://www.dslreports.com/forum/remark,18090859 Fri, 30 Mar 2007 18:04:32 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18090753 AB :
said by daveinpoway See Profile :

Here's another article about this- »cwflyris.computerworld.com/t/140···57317/2/
Well, now I'm thoroughly confused.
This article seems to indicate that Windows animated cursors are not at risk, and the exploit comes from allowing an animated cursor to run on a particular website, or within an HTML e-mail.
WTF?? Am I missing something? Do animated cursor files abound on websites? Do I run them all the time and just not know it?
Or is javascript heavily involved in this?
And do I have to just run some sort of .ani file on a webpage, or actually allow something specific to be downloaded onto my machine, or is user interaction not even required?

I'm not sure what that smell is.
This is either very scary or hardly worth concerning about-- and I'll be damned if I know which right now.]]> http://www.dslreports.com/forum/remark,18090753 Fri, 30 Mar 2007 17:41:37 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18090392 daveinpoway : Here's another article about this- »cwflyris.computerworld.com/t/140···57317/2/]]> http://www.dslreports.com/forum/remark,18090392 Fri, 30 Mar 2007 16:32:34 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18090073 AB :
said by Mele20 See Profile :

Whoa! This is nasty! There is NO WAY to protect yourself if you use Outlook Express (even if you use IE7)
Don't use an animated cursor?]]> http://www.dslreports.com/forum/remark,18090073 Fri, 30 Mar 2007 15:34:50 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18088129 Grail Knight : Has this patch been tested by any other security vendors?]]> http://www.dslreports.com/forum/remark,18088129 Fri, 30 Mar 2007 09:30:07 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18088009 rgillis70 : Outlook 2007 and IE7 on Vista (as shipped) are not vulnerable to this one.]]> http://www.dslreports.com/forum/remark,18088009 Fri, 30 Mar 2007 09:04:39 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18087984 swhx7 :
said by KachiWachi See Profile :

I guess you don't visit myspace often then swhx7. ;)
Well, seriously, if you or anyone can give me a link to a page that has this in it (harmless .ani file that is), I'd like to check it out. PM is OK.]]> http://www.dslreports.com/forum/remark,18087984 Fri, 30 Mar 2007 09:00:09 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18087786 Mele20 : There is a temporary patch from eeye security.

»research.eeye.com/html/alerts/ze···328.html

I'm just about to install it.]]> http://www.dslreports.com/forum/remark,18087786 Fri, 30 Mar 2007 08:03:09 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18087752 KachiWachi : I guess you don't visit myspace often then swhx7. ;)]]> http://www.dslreports.com/forum/remark,18087752 Fri, 30 Mar 2007 07:48:21 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18087630 swhx7 : OK, I can see Fireferret/Moz browsers being vulnerable if a page can get them to call the Windows routines for using a new cursor from an .ani file instead of the regular cursor the user already has going on. But how would that happen?

In several years of surfing with Mozilla/Seamonkey I've never had the cursor become animated. If it did I would have immediately found a way to prevent it, because I find that sort of thing intolerably annoying.

This must not be confused with the substitute cursors that can be specified with stylesheets. With some CSS you can make a compliant browser use a question mark or crosshairs, for example, instead of the usual pointer. An ani cursor, I presume, would be actually moving on its own.]]> http://www.dslreports.com/forum/remark,18087630 Fri, 30 Mar 2007 06:38:23 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18087603 Mele20 : Whoa! This is nasty! There is NO WAY to protect yourself if you use Outlook Express (even if you use IE7) and even Windows Vista Mail is somewhat vulnerable. From Microsoft Security Advisory (935423):

"Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.

Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability."

I have always read all email in OE in Plain Text. That has been excellent protection until this. Alexander Sotirov from Determina recommends reading ALL MAIL with Telnet. That is sure going to be fun.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18087603 Fri, 30 Mar 2007 06:24:40 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18087575 bcool : Wow! In one little thread two contradictory assertions:

"Alternative browsers such as Firefox and Opera do not appear to be vulnerable to the attack." »www.vnunet.com/vnunet/news/21868···-attacks

"Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer" »www.derkeiler.com/Mailing-Lists/···536.html

Since Firefox most assuredly calls upon the Windows API, I will err on the side of caution. :(
--
"in flagrante delicto"]]> http://www.dslreports.com/forum/remark,18087575 Fri, 30 Mar 2007 06:10:53 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18087546 matunga : This flaw is a Windows's flaw, not a browser's flaw. Both browsers IE and Firefox are at risk:

Determina also discovered that under certain circumstances Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer

All applications that use certain Windows API calls are affected, including Internet Explorer, Windows Explorer, Mozilla Firefox and Outlook.

»www.derkeiler.com/Mailing-Lists/···536.html]]> http://www.dslreports.com/forum/remark,18087546 Fri, 30 Mar 2007 05:43:35 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18087075 anon : Found the answer, it is Microsoft products only.
»www.vnunet.com/vnunet/news/21868···-attacks]]> http://www.dslreports.com/forum/remark,18087075 Fri, 30 Mar 2007 00:53:20 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18086903 anon : I couldn't tell from the writeup - does this affect only IE or can it be exploited via other browsers too? What does Firefox do with the .ani cursors? If there is an animated cursor feature in Firefox, can it be turned off?

(swhx7 posting anon. because of untrusted computer)]]> http://www.dslreports.com/forum/remark,18086903 Fri, 30 Mar 2007 00:07:20 EDT Re: Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18085512 DownTheShore : Thanks for posting this.]]> http://www.dslreports.com/forum/remark,18085512 Thu, 29 Mar 2007 19:58:04 EDT Microsoft Security Advisory (935423) Vulnerability in Window http://www.dslreports.com/forum/remark,18085278 NICK ADSL UK : Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
Published: March 29, 2007

Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

»www.microsoft.com/technet/securi···423.mspx
--
Wilders Security Forum Admin
Microsoft MVP-Windows Security

]]> http://www.dslreports.com/forum/remark,18085278 Thu, 29 Mar 2007 19:12:10 EDT