said by DownTheShore :

It's a vulnerability in the portion of the computer code that allows you to run animated cursors, if I'm understanding it correctly. Nefarious people can use certain browsers/websites to access that coding on your machine and divert it to their own purposes.

You may or may not be vulnerable to it, and your anti-virus program may stop it automatically, but just to be sure, Windows Update has a patch for the problem.

said by jcbsinger :

Could anyone here please explain me that what is ANI flaw, I am kinda new to this area :(

said by Mele20 :

That's because you don't use it. I know what the differences are between 1.5 and 2.0 and I won't use 2.0 because of the privacy invasions in 2.0. I also know the differences between the best version of Fx (0.8) and 1.0 and 1.5 and 2.0. As for different extensions causing different problems, the user can always boot into Fx Safe Mode where the extensions and themes are disabled to see if they still have the problem. The extensions are why we use Fx and we become quicky and strongly addicted to them and it's unthinkable to go use IE which has none of the richness of Fx...none of the vista of potential either.

said by Name Game :

And what you just described is the biggest problem with Firefox..in the IE world at least people know the differences in IE5, IE5.5, IE6, and IE7..but when it come to Firefox and people say they have a problem with it..you have no idea what version or plug in or other opensource gimmick they have with it..the whole project has little or no quality control..each version has it own particular problems and I constantly see gurus who write code for it tell users it is not our fault contact the webmaster of the site..or some other vendor.

said by swhx7 :

javaMan is right, the browser is only a vehicle. What causes the problem here is unpatched user32.dll interpreting an animated cursor file. The file need not be named with .ani extension.

When we were discussing it before in the other thread (1 and 2 april), we observed that the most straightforward way of delivering the file, namely putting reference to it in a CSS line, did not work on Firefox. And Mozilla doc page said that Firefox could not use the ani files.

WHat we have now is a proof of concept (POC) of infection via Firefox. But they do not explain how it works and they won't until there's a Firefox patch. The two obvious possibilities are (a) certain versions of Firefox support .ani although earlier versions don't or (b) there is some means of getting Firefox to download an ani file without user permission and ask user32.dll to run it, other than the CSS way.

The point of this whole issue is that it's not a choice. If it were something you could just turn off in Windows it would be less critical. The problem is malicious websites (or frames, emails etc.) can make the system try to run the supposed animated cursor (really a malware) without asking. We don't know how it works thru Firefox yet.

.ani files are a type of file that normally makes an animated cursor, but a malicious version of it can take over your computer, if you haven't installed the fix.

Simple answer for all Windows users now, install the patch. You will already have it if you use Automatic Updates. If you use Microsoft Update site and haven't gone there since about midday Tuesday 3rd April, do it now. If you download manually, go to: »www.microsoft.com/technet/securi···017.mspx

said by Boricua65 :

I don't use animated cursors, so I should be okay? I use Firefox 2.0.0.3 as the main browser and IE 6 when pages do not render well and for updates. Or are they talking about the cursors installed from Windows.

said by jcbsinger :

Could anyone here please explain me that what is ANI flaw, I am kinda new to this area :(

said by Name Game :

well rich..what you just posted made no sense..when it came to your words on the browser end of the deal..

said by La Luna :

I don't care anymore. I'm patched. :D

I think I lost track of the tennis game not long after this:

»Re: Chinese servers host malicious cursor attacks

:D

said by AB :

I think it was brought out in the other thread that javascript was *not* involved, beyond the browser re-direction nature of sending you to a page hosting the exploit, regardless of how it was presented in the 'Security Focus' article.
A CSS code trojan/worm, was what I got from it.
But there definitely seems to be a lot more confusion about what's up with this one than is ordinarily the case.
So many threads, so little time . . . . ;) :)

said by AB :

Aha! Javascript is most definitely heavily involved. Thank you very much, Cudni!

said by Boricua65 :

I don't use animated cursors, so I should be okay?

said by javaMan :

What is worrisome is there are a variety of technologies that could possibly be used.

said by somebodynew5 :

These proof of concept pages often only test a limited subset of all possible attack vectors.

said by planet :

Would this exploit be less destructive to a machine running in a limited user account?

said by Name Game :

Love those bloggers :D

»blogs.zdnet.com/Ou/?p=461&tag=nl.e589

said by Grail Knight :

The patch was released today by MS in case you have not checked for updates. :)

said by somebodynew5 :

I think the biggest problem with these Proof of Concept test pages is people think that just because they pass one particular test that says their system is safe they think they are safe.

These proof of concept pages often only test a limited subset of all possible attack vectors. . . .

. . In this case the exploit can be triggered by some CSS code to load a ANI cursor file, So with some tweaks I am sure it is quite possible to cause Firefox to attempt to load a ANI file into windows.

said by matunga :

This is a short flash video of exploiting the ANI vulnerability on Windows Vista. The exploit works against both Internet Explorer 7 and Mozilla Firefox 2.0:

»determina.blogspot.com/2007/04/e···ani.html

said by planet :

Would this exploit be less destructive to a machine running in a limited user account?

said by La Luna :

I thought we already established in the other thread about this that js IS involved, and that there is conflicting info on which browsers may or may not be affected?

»Microsoft Security Advisory (935423) Vulnerability in Window

»www.securityfocus.com/brief/473

Why start a new thread? It just makes it more confusing and harder to keep up with.

said by Cudni :

the poc listed below did not crash FF (on either XP or W2K)

»zert.isotf.org/tests/testani.htm

It closed IE7 but not IE6

said by matunga :

... Firefox 2.0.0.3 is affected with or without NoScript.
The only browser not at risk is Internet Explorer 7 under Windows Vista because the Protected Mode (enabled by default)

said by matunga :

The only browser not at risk is Internet Explorer 7 under Windows Vista because the Protected Mode (enabled by default)

said by angussf :

I went to a site which purports to test your browser and my Firefox 2.0.0.3 with NoScript was not vulnerable. IE6 with scripting disabled is also not vulnerable.

said by jansson_mark :

Im still having a bit trouble believing all this.

Well, for starters I dont understand how the heck is Firefox connected to animated cursors of Windows in the first place. I just dont get it. Second, I havent SEEN and TRYED OUT any POC on my Firefox 2.0.0.3.