matunga
join:2003-07-26
|  Firefox 2 is vulnerable to ANI flaw
»determina.blogspot.com/2007/04/e···ani.html | |
|
 Mele20
Premium
join:2001-06-05
Hilo, HI | Re: Firefox 2 is vulnerable to ANI flaw The exploit is more severe in Fx! And over at Mozillazine they have been pooh-pooing this entire thing.
Thanks for the link. I don't have Flash Player on my main machine but I do have it on a virtual one so I watched this there. | |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| Im still having a bit trouble believing all this.
Well, for starters I dont understand how the heck is Firefox connected to animated cursors of Windows in the first place. I just dont get it. Second, I havent SEEN and TRYED OUT any POC on my Firefox 2.0.0.3.
--
My computer security & privacy related homepage »www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. | |
|
 | 
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: Firefox 2 is vulnerable to ANI flaw said by jansson_mark  :Im still having a bit trouble believing all this. Well, for starters I dont understand how the heck is Firefox connected to animated cursors of Windows in the first place. I just dont get it. Second, I havent SEEN and TRYED OUT any POC on my Firefox 2.0.0.3. It is getting more complicated than that..and depends on how you have the security set on IE or any other browser..
I can set IE6 up and it will not be hit..also same with IE7.
But I do understand your point.
Vulnerability Details
(Credit to Joe Stewart, SecureWorks)
The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the "anih" chunk—giving an attacker an easy route to overflow the stack and gain control of the execution of the process.
With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two "anih" chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered.
Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:⁄WINDOWS⁄ or C:⁄WINNT⁄). This approach should successfully mitigate most "drive-by's," code execution scenarios, but it might also break third-party applications that use animated cursors within their own program directories.
For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files.
»zert.isotf.org/advisories/zert-2007-01.htm
Compromised sites using ANI exploit code
»www.websense.com/securitylabs/bl···ogID=119
Apr 2 2007 3:15PM ~ "Websense's ThreatSeeker(tm) technology has discovered that a large set of websites have been compromised within the Asia Pacific Region and have embedded IFRAMES within them pointing to a site that is hosting the ANI exploit code. An IFRAME or "invisible frame" is an element which makes it possible to embed another HTML document inside the main document. From Wikipedia: http://en.wikipedia.org/wiki/Iframe.
Although we are tracking hundreds of other sites that are hosting ANI exploit files this alert pertains to one group of sites that are all connecting to the same host. Many of the sites appear to be running online blogs or message boards. Most sites have embedded IFRAME's on all pages leading to a main set of sites which are hosting the exploit code. The number of unique sites currently up and running for this one attack is greater than 50 and the number of pages is greater than 500. Assuming users connect to the sites they will be redirected to two unique locations which are hosting exploit code which in turn downloads and installs a file called "ad.exe". The file includes a generic password stealer and is not detected well by most Antivirus companies (MD5 0c9217553871d3eb5f20b553d91a098b)..."
(Screenshots available at the URL above.)
http://forums.spybot.info/showthread.php?s=ddf7a0304bcf9398c9c38d1b84cde327&t=12557&page=2
--
Gladiator Security Forum http://www.gladiator-antivirus.com/ Missing Kids http://www.missingkids.com/ | |
|
angussf
Premium
join:2002-01-11
Tucson, AZ | I went to a site which purports to test your browser and my Firefox 2.0.0.3 with NoScript was not vulnerable. IE6 with scripting disabled is also not vulnerable. | |
|
| matunga
join:2003-07-26
4 edits | Re: Firefox 2 is vulnerable to ANI flaw said by angussf :I went to a site which purports to test your browser and my Firefox 2.0.0.3 with NoScript was not vulnerable. IE6 with scripting disabled is also not vulnerable. Sorry, but javascript is not involved in this flaw, so Firefox 2.0.0.3 is affected with or without NoScript.
The only browser not at risk is Internet Explorer 7 under Windows Vista because the Protected Mode (enabled by default) | |
|
| | 
MeDuZa
join:2003-06-13
Austria
| Re: Firefox 2 is vulnerable to ANI flaw said by matunga :The only browser not at risk is Internet Explorer 7 under Windows Vista because the Protected Mode (enabled by default) No crash here. I'm getting the below message with both browsers Opera and K-Meleon on w2k.
quote:
you do not appear to be vulnerable to the ie ani cursor exploit
for more information about the exploit and the patch visit: zert
Is there any other test site to check?
--
Reality corrupted. Reboot universe? (Y/N) | |
|
| | |
|
| 
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX | Re: Firefox 2 is vulnerable to ANI flaw Hmm... with hardware DEP on... It didn't crash ff or cause IE7 to close...
--
da Cajun Darn I hate Malware | |
|
| Jrb2
Premium
join:2001-08-31
| Hi Cudni,
IMON (NOD32) immediately jumps up with a warning (see screenie) when clicking on that link.
Then I see: "you do not appear to be vulnerable to the ie ani cursor exploit" (etc etc). | |
|
| 
AB
Premium
join:2006-04-04
Leesburg, VA
| The screenshot is what I get with Firefox 2.0.0.3 at that link.
I notice they call it an "ie exploit". Just poor characterization on their part? | |
|
| | 
somebodynew5
@direcpc.com
| Re: Firefox 2 is vulnerable to ANI flaw I think the biggest problem with these Proof of Concept test pages is people think that just because they pass one particular test that says their system is safe they think they are safe.
These proof of concept pages often only test a limited subset of all possible attack vectors. So while one proof of concept page may only trigger the exploit under IE there may also be attack vectors available under Firefox that are simply not exploited by the particular POC test page. A simple change to the exploit code may be able to attack using other browsers or avenues of exploit.
Much like all pages do not render the same under all browser many core operating system exploits require some minor code changes to target other browsers.
So any time the flaw is located in the underlying operating system just using a different browser may not close all available attack vectors. It all depends on the actual exploit. In this case the exploit can be triggered by some CSS code to load a ANI cursor file, So with some tweaks I am sure it is quite possible to cause Firefox to attempt to load a ANI file into windows.
| |
|
| | |
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX | Re: Firefox 2 is vulnerable to ANI flaw Just an FYI folks.. there is a patch available at windows update... even as I type...
--
da Cajun Darn I hate Malware | |
|
| | |
AB
Premium
join:2006-04-04
Leesburg, VA
| said by somebodynew5 :
I think the biggest problem with these Proof of Concept test pages is people think that just because they pass one particular test that says their system is safe they think they are safe.
These proof of concept pages often only test a limited subset of all possible attack vectors. . . .
. . In this case the exploit can be triggered by some CSS code to load a ANI cursor file, So with some tweaks I am sure it is quite possible to cause Firefox to attempt to load a ANI file into windows. I don't doubt this for a moment. | |
|
| | | | |
| | | | | 
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
 ·Comcast
1 edit | Re: Firefox 2 is vulnerable to ANI flaw #1 SMALL picture even when clicked on... cannot read text.
#2 No problems here in IE 7 after patch.
--
Think outside the Fox... Opera | |
|
Boricua65
join:2002-01-26
Puerto Rico | I don't use animated cursors, so I should be okay? I use Firefox 2.0.0.3 as the main browser and IE 6 when pages do not render well and for updates. Or are they talking about the cursors installed from Windows. | |
|
|
|
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Firefox 2 is vulnerable to ANI flaw I think it was brought out in the other thread that javascript was *not* involved, beyond the browser re-direction nature of sending you to a page hosting the exploit, regardless of how it was presented in the 'Security Focus' article.
A CSS code trojan/worm, was what I got from it.
But there definitely seems to be a lot more confusion about what's up with this one than is ordinarily the case.
Why start a new thread? It just makes it more confusing and harder to keep up with. So many threads, so little time . . . .   | |
|
| | 
planet
join:2001-11-05
Olmsted Falls, OH | Re: Firefox 2 is vulnerable to ANI flaw Would this exploit be less destructive to a machine running in a limited user account? | |
|
| | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Firefox 2 is vulnerable to ANI flaw said by planet :Would this exploit be less destructive to a machine running in a limited user account? I hold myself out as no big security expert, but I think that's the case pretty much regardless of the nature of the exploit, isn't it? | |
|
| | 
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
 ·Vonage
| said by AB :I think it was brought out in the other thread that javascript was *not* involved, beyond the browser re-direction nature of sending you to a page hosting the exploit, regardless of how it was presented in the 'Security Focus' article. A CSS code trojan/worm, was what I got from it. But there definitely seems to be a lot more confusion about what's up with this one than is ordinarily the case. Why start a new thread? It just makes it more confusing and harder to keep up with. So many threads, so little time . . . . I don't care anymore. I'm patched. 
I think I lost track of the tennis game not long after this:
said by AB :Aha! Javascript is most definitely heavily involved. Thank you very much, Cudni! »Re: Chinese servers host malicious cursor attacks
--
~~Don't wanna' fight in a holy war...World war III when are you coming for me? Been kicking up sparks, we set the flames free...the windows are locked now so what'll it be? A house on fire or a rising sea?...~~
| |
|
| | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Firefox 2 is vulnerable to ANI flaw said by La Luna :I don't care anymore. I'm patched. I think I lost track of the tennis game not long after this: said by AB :Aha! Javascript is most definitely heavily involved. Thank you very much, Cudni! » Re: Chinese servers host malicious cursor attacks That was early on in the thread, and just referenced what was printed in the 'Security Focus' article. It became apparent later that javascript was not the culprit on this one.
Meaning that was an incorrect statement on my part.
Glad to hear you're patched up without issues, Luna! | |
|
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
| I'm somewhat perplexed and worried by this term "browser vulnerability" This is an OS vulnerability; web based technologies employed by the browser are simply the vehicle used for transport. As such there is no browser test that will demonstrate either invulnerability or vulnerability. As somebodynew5 noted there are only tests that will indicate whether a particular technology used by the browser is usable for the delivery. What is worrisome is there are a variety of technologies that could possibly be used. It seems prudent to me then that one should not place too much confidence in these "browser vulnerability" tests. Invulnerability will only be attained when MS provides the patch which, according to reports, is coming soon.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 | |
|
| 
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | Re: Firefox 2 is vulnerable to ANI flaw The patch was released today by MS in case you have not checked for updates. | |
|
| |
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
| Re: Firefox 2 is vulnerable to ANI flaw said by Grail Knight :The patch was released today by MS in case you have not checked for updates. Yeah, thanks. I checked right after posting that message and installed it.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 | |
|
| | |
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | Re: Firefox 2 is vulnerable to ANI flaw I figured as much but better safe then sorry. | |
|
|
mysec
Premium
join:2005-11-29
| said by Boricua65 :I don't use animated cursors, so I should be okay?
Note that it is the code of an animated cursor file, and not an animated cursor itself which does the work. The file has to be embedded in a web page or email. Also, file extensions other than *.ani are used. The one I tested was a .jpg file with the .ani code inside.
said by javaMan : What is worrisome is there are a variety of technologies that could possibly be used. said by somebodynew5 :
These proof of concept pages often only test a limited subset of all possible attack vectors.
Again, Kevin's and my points in the AV thread: if you depend on trying to cover all bases of exploit carriers (.ani, .wmf, etc) you will always be in "emergency mode" but if you are set up to catch the payload, well, the *,ani file can sit cached all day but won't do anything.
said by planet :Would this exploit be less destructive to a machine running in a limited user account?
Of course! fatdcuk pointed out to me the irony of the video, in that that DEP had to be turned off in order for the exploit to run. It's reminiscent of the firewall leaktests: you have to disable your security to let the test executable run to prove you are vulnerable.
Well, they get paid to stir up discussion. But some relevant conclusions can be made from such articles. The browser is on the front line,and should not be depended upon for ones total security. One should always have protection behind the browser for the unexpected.
So what if on day-Zero you encounter the .ani exploit on a web page and it gets by the your browser. Doesn't everyone here have something in place that would block the executable payload? I certainly hope so!
Then, you don't have to be in "emergency mode" and can calmly await the official patch (now released).
regards,
-rich
______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier | |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| well rich..what you just posted made no sense..when it came to your words on the browser end of the deal..but it certainly is true one needs to stop a vector or a payload if it was cause damage..but your supposition would then be to stop everything until you make sure no one is going to throw mama from the train.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
| mysec
Premium
join:2005-11-29
| Re: Firefox 2 is vulnerable to ANI flaw said by Name Game :well rich..what you just posted made no sense..when it came to your words on the browser end of the deal..
Why? Sure, browsers have certain security built in. Up until recently, both Opera and FireFox users have laughed at IE users, but now, FF has experienced many vulnerabilities, and O is perhaps not far behind, once malware writers focus on it. No line of code is immune from being exploited.
With that in mind, I would never depend on my browser to be immune from some unknown exploit, and so, I advocate that we should have protection in back of the browser for the "in case" scenario.
quote:
but it certainly is true one needs to stop a vector or a payload if it was cause damage..but your supposition would then be to stop everything until you make sure no one is going to throw mama from the train.
My supposition is to stop *any* executable from being installed by remote code execution, aka, drive-by download.
Many ways to do that: DEP, SRP, Limited User, 3rd-party execution protection -- all White List solutions.
regards,
-rich
______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier | |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Naw..just 'lock down' the browser and many threads at this forum to explain the settings to do so. limited user is now set at default for any who hav winxp sp2..and Vista has its own version of the same..no need for theird party stuff..their are setting in your browser to do just that and even IE6 has popup blocker protection that does more than some users realize..but its all there if one looks and sets it up
»www.microsoft.com/windowsxp/sp2/···iew.mspx
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
jcbsinger
join:2007-04-03
New York, NY
| Could anyone here please explain me that what is ANI flaw, I am kinda new to this area 
--
Guide on Mp4
»www.mp4-converter.net | |
|
| 
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs:
| Re: Firefox 2 is vulnerable to ANI flaw said by jcbsinger :Could anyone here please explain me that what is ANI flaw, I am kinda new to this area It's a vulnerability in the portion of the computer code that allows you to run animated cursors, if I'm understanding it correctly. Nefarious people can use certain browsers/websites to access that coding on your machine and divert it to their own purposes.
You may or may not be vulnerable to it, and your anti-virus program may stop it automatically, but just to be sure, Windows Update has a patch for the problem.
--
Life is simply one damned thing after another. | |
|
| |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: Firefox 2 is vulnerable to ANI flaw said by DownTheShore :said by jcbsinger :Could anyone here please explain me that what is ANI flaw, I am kinda new to this area It's a vulnerability in the portion of the computer code that allows you to run animated cursors, if I'm understanding it correctly. Nefarious people can use certain browsers/websites to access that coding on your machine and divert it to their own purposes. You may or may not be vulnerable to it, and your anti-virus program may stop it automatically, but just to be sure, Windows Update has a patch for the problem. »Mozilla Firefox Insecure Element Stealth Injection Vulnerabi
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| javaMan is right, the browser is only a vehicle. What causes the problem here is unpatched user32.dll interpreting an animated cursor file. The file need not be named with .ani extension.
When we were discussing it before in the other thread (1 and 2 april), we observed that the most straightforward way of delivering the file, namely putting reference to it in a CSS line, did not work on Firefox. And Mozilla doc page said that Firefox could not use the ani files.
WHat we have now is a proof of concept (POC) of infection via Firefox. But they do not explain how it works and they won't until there's a Firefox patch. The two obvious possibilities are (a) certain versions of Firefox support .ani although earlier versions don't or (b) there is some means of getting Firefox to download an ani file without user permission and ask user32.dll to run it, other than the CSS way.
said by Boricua65 :I don't use animated cursors, so I should be okay? I use Firefox 2.0.0.3 as the main browser and IE 6 when pages do not render well and for updates. Or are they talking about the cursors installed from Windows. The point of this whole issue is that it's not a choice. If it were something you could just turn off in Windows it would be less critical. The problem is malicious websites (or frames, emails etc.) can make the system try to run the supposed animated cursor (really a malware) without asking. We don't know how it works thru Firefox yet.
said by jcbsinger :Could anyone here please explain me that what is ANI flaw, I am kinda new to this area .ani files are a type of file that normally makes an animated cursor, but a malicious version of it can take over your computer, if you haven't installed the fix.
Simple answer for all Windows users now, install the patch. You will already have it if you use Automatic Updates. If you use Microsoft Update site and haven't gone there since about midday Tuesday 3rd April, do it now. If you download manually, go to: »www.microsoft.com/technet/securi···017.mspx | |
|
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: Firefox 2 is vulnerable to ANI flaw said by swhx7 :javaMan is right, the browser is only a vehicle. What causes the problem here is unpatched user32.dll interpreting an animated cursor file. The file need not be named with .ani extension. When we were discussing it before in the other thread (1 and 2 april), we observed that the most straightforward way of delivering the file, namely putting reference to it in a CSS line, did not work on Firefox. And Mozilla doc page said that Firefox could not use the ani files. WHat we have now is a proof of concept (POC) of infection via Firefox. But they do not explain how it works and they won't until there's a Firefox patch. The two obvious possibilities are (a) certain versions of Firefox support .ani although earlier versions don't or (b) there is some means of getting Firefox to download an ani file without user permission and ask user32.dll to run it, other than the CSS way. said by Boricua65 :I don't use animated cursors, so I should be okay? I use Firefox 2.0.0.3 as the main browser and IE 6 when pages do not render well and for updates. Or are they talking about the cursors installed from Windows. The point of this whole issue is that it's not a choice. If it were something you could just turn off in Windows it would be less critical. The problem is malicious websites (or frames, emails etc.) can make the system try to run the supposed animated cursor (really a malware) without asking. We don't know how it works thru Firefox yet. said by jcbsinger :Could anyone here please explain me that what is ANI flaw, I am kinda new to this area .ani files are a type of file that normally makes an animated cursor, but a malicious version of it can take over your computer, if you haven't installed the fix. Simple answer for all Windows users now, install the patch. You will already have it if you use Automatic Updates. If you use Microsoft Update site and haven't gone there since about midday Tuesday 3rd April, do it now. If you download manually, go to: » www.microsoft.com/technet/securi···017.mspx And what you just described is the biggest problem with Firefox..in the IE world at least people know the differences in IE5, IE5.5, IE6, and IE7..but when it come to Firefox and people say they have a problem with it..you have no idea what version or plug in or other opensource gimmick they have with it..the whole project has little or no quality control..each version has it own particular problems and I constantly see gurus who write code for it tell users it is not our fault contact the webmaster of the site..or some other vendor.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
| | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Firefox 2 is vulnerable to ANI flaw said by Name Game :And what you just described is the biggest problem with Firefox..in the IE world at least people know the differences in IE5, IE5.5, IE6, and IE7..but when it come to Firefox and people say they have a problem with it..you have no idea what version or plug in or other opensource gimmick they have with it..the whole project has little or no quality control..each version has it own particular problems and I constantly see gurus who write code for it tell users it is not our fault contact the webmaster of the site..or some other vendor. That's because you don't use it. I know what the differences are between 1.5 and 2.0 and I won't use 2.0 because of the privacy invasions in 2.0. I also know the differences between the best version of Fx (0.8) and 1.0 and 1.5 and 2.0. As for different extensions causing different problems, the user can always boot into Fx Safe Mode where the extensions and themes are disabled to see if they still have the problem. The extensions are why we use Fx and we become quicky and strongly addicted to them and it's unthinkable to go use IE which has none of the richness of Fx...none of the vista of potential either.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
|
| | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
1 edit | Re: Firefox 2 is vulnerable to ANI flaw said by Mele20 :said by Name Game :And what you just described is the biggest problem with Firefox..in the IE world at least people know the differences in IE5, IE5.5, IE6, and IE7..but when it come to Firefox and people say they have a problem with it..you have no idea what version or plug in or other opensource gimmick they have with it..the whole project has little or no quality control..each version has it own particular problems and I constantly see gurus who write code for it tell users it is not our fault contact the webmaster of the site..or some other vendor. That's because you don't use it. I know what the differences are between 1.5 and 2.0 and I won't use 2.0 because of the privacy invasions in 2.0. I also know the differences between the best version of Fx (0.8) and 1.0 and 1.5 and 2.0. As for different extensions causing different problems, the user can always boot into Fx Safe Mode where the extensions and themes are disabled to see if they still have the problem. The extensions are why we use Fx and we become quicky and strongly addicted to them and it's unthinkable to go use IE which has none of the richness of Fx...none of the vista of potential either. No.. that is because I help people with their Firefox problems..not only at DSLR but in the real world and other forums constantly running into prolems they have with it..some case just like the IE mentality where they refuse to update..but too many cases lately where it is just plain broken or won't work with another App and for Firefox 2 the latest is 2.0.0.3 and still counting. Safe Mode.. Firefox does not have a monopoly on that..it is a Microsoft thingie..Richness ??? like with Winamp and shoutcast ?
»www.mozilla.org/projects/firefox···map.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ | |
|
| | |
|
|
|
