dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8036

NICK ADSL UK
MVM
join:2004-02-22
united kingd

1 recommendation

NICK ADSL UK

MVM

Microsoft Security Advisory (935423) Vulnerability in Window

Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
Published: March 29, 2007

Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

»www.microsoft.com/techne ··· 423.mspx

DownTheShore
Pray for Ukraine
Premium Member
join:2003-12-02
Beautiful NJ

DownTheShore

Premium Member

Thanks for posting this.

The_alt_swhx7 to NICK ADSL UK

Anon

to NICK ADSL UK
I couldn't tell from the writeup - does this affect only IE or can it be exploited via other browsers too? What does Firefox do with the .ani cursors? If there is an animated cursor feature in Firefox, can it be turned off?

(swhx7 posting anon. because of untrusted computer)
The_alt_swhx7

The_alt_swhx7 to NICK ADSL UK

Anon

to NICK ADSL UK
Found the answer, it is Microsoft products only.
»www.vnunet.com/vnunet/ne ··· -attacks
matunga
join:2003-07-26

4 edits

matunga

Member

This flaw is a Windows's flaw, not a browser's flaw. Both browsers IE and Firefox are at risk:

Determina also discovered that under certain circumstances Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer

All applications that use certain Windows API calls are affected, including Internet Explorer, Windows Explorer, Mozilla Firefox and Outlook.

»www.derkeiler.com/Mailin ··· 536.html

bcool
Premium Member
join:2000-08-25

1 recommendation

bcool to The_alt_swhx7

Premium Member

to The_alt_swhx7
Wow! In one little thread two contradictory assertions:

"Alternative browsers such as Firefox and Opera do not appear to be vulnerable to the attack." »www.vnunet.com/vnunet/ne ··· -attacks

"Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer" »www.derkeiler.com/Mailin ··· 536.html

Since Firefox most assuredly calls upon the Windows API, I will err on the side of caution.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to NICK ADSL UK

Premium Member

to NICK ADSL UK
Whoa! This is nasty! There is NO WAY to protect yourself if you use Outlook Express (even if you use IE7) and even Windows Vista Mail is somewhat vulnerable. From Microsoft Security Advisory (935423):

"Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.

Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability."

I have always read all email in OE in Plain Text. That has been excellent protection until this. Alexander Sotirov from Determina recommends reading ALL MAIL with Telnet. That is sure going to be fun.

swhx7
Premium Member
join:2006-07-23
Elbonia

swhx7 to NICK ADSL UK

Premium Member

to NICK ADSL UK
OK, I can see Fireferret/Moz browsers being vulnerable if a page can get them to call the Windows routines for using a new cursor from an .ani file instead of the regular cursor the user already has going on. But how would that happen?

In several years of surfing with Mozilla/Seamonkey I've never had the cursor become animated. If it did I would have immediately found a way to prevent it, because I find that sort of thing intolerably annoying.

This must not be confused with the substitute cursors that can be specified with stylesheets. With some CSS you can make a compliant browser use a question mark or crosshairs, for example, instead of the usual pointer. An ani cursor, I presume, would be actually moving on its own.

KachiWachi
join:2004-02-12
Bucks Co, PA

KachiWachi

Member

I guess you don't visit myspace often then swhx7.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to NICK ADSL UK

Premium Member

to NICK ADSL UK
There is a temporary patch from eeye security.

»research.eeye.com/html/a ··· 328.html

I'm just about to install it.

swhx7
Premium Member
join:2006-07-23
Elbonia

swhx7 to KachiWachi

Premium Member

to KachiWachi
said by KachiWachi:

I guess you don't visit myspace often then swhx7.
Well, seriously, if you or anyone can give me a link to a page that has this in it (harmless .ani file that is), I'd like to check it out. PM is OK.
rgillis70
Premium Member
join:2002-12-30
Washington, DC

rgillis70 to NICK ADSL UK

Premium Member

to NICK ADSL UK
Outlook 2007 and IE7 on Vista (as shipped) are not vulnerable to this one.

Grail Knight

Premium Member
join:2003-05-31
Valhalla

Grail Knight to Mele20

Premium Member

to Mele20
Has this patch been tested by any other security vendors?

AB57
Premium Member
join:2006-04-04
equatorial

AB57 to Mele20

Premium Member

to Mele20
said by Mele20:

Whoa! This is nasty! There is NO WAY to protect yourself if you use Outlook Express (even if you use IE7)
Don't use an animated cursor?
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway to NICK ADSL UK

Premium Member

to NICK ADSL UK
Here's another article about this- »cwflyris.computerworld.c ··· 57317/2/

AB57
Premium Member
join:2006-04-04
equatorial

1 recommendation

AB57

Premium Member

said by daveinpoway:

Here's another article about this- »cwflyris.computerworld.c ··· 57317/2/
Well, now I'm thoroughly confused.
This article seems to indicate that Windows animated cursors are not at risk, and the exploit comes from allowing an animated cursor to run on a particular website, or within an HTML e-mail.
WTF?? Am I missing something? Do animated cursor files abound on websites? Do I run them all the time and just not know it?
Or is javascript heavily involved in this?
And do I have to just run some sort of .ani file on a webpage, or actually allow something specific to be downloaded onto my machine, or is user interaction not even required?

I'm not sure what that smell is.
This is either very scary or hardly worth concerning about-- and I'll be damned if I know which right now.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

1 recommendation

Cudni to NICK ADSL UK

MVM

to NICK ADSL UK

Chinese servers host malicious cursor attacks

from
»www.securityfocus.com/brief/473
"...
A criminal group responsible for using compromised Web sites to spread malicious software have already started using the latest Microsoft flaw to install their code from at least three servers in China, security experts said on Friday.
.."

Cudni

jansson_mark
Markus Jansson
Premium Member
join:2001-08-05
Finland

jansson_mark to NICK ADSL UK

Premium Member

to NICK ADSL UK

Re: Microsoft Security Advisory (935423) Vulnerability in Window

Any POC anywhere?
Id surely like to check if Im vulnerable with Firefox, because these reports dont clearly say yes or no to that...

AB57
Premium Member
join:2006-04-04
equatorial

AB57 to Cudni

Premium Member

to Cudni

Re: Chinese servers host malicious cursor attacks

Aha! Javascript is most definitely heavily involved. Thank you very much, Cudni!
Still sounds pretty severe, but the javascript aspect is hardly anything new.
I'll continue to disallow it as a general rule, and wait for further developments.
Won't be using any animated cursors, either.
art22gg
Premium Member
join:2005-02-16
Courtenay, BC

art22gg to NICK ADSL UK

Premium Member

to NICK ADSL UK

Re: Microsoft Security Advisory (935423) Vulnerability in Window

Hi,
There sure seems to be a lot of conflicting stories/confusion going on about this subject.Hopefully the situation will be straightened up with/by someone making a definitive conclusion,about who/what is vulnerable.
MS says per quote--
Mitigating Factors for Animated Cursor Vulnerability


Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.--------This is not "Security Focus" is saying!
Art
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to NICK ADSL UK

Premium Member

to NICK ADSL UK
Seven AV companies have issued protection. My AV is not one of them. I also use Outlook Express. DEFAULT settings in OE are somewhat protective in that interaction is required so for those who wouldn't just ignore and click on through there is some protection. For Plain Text readers though they are actually at the MOST RISK of all.

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna to NICK ADSL UK

Premium Member

to NICK ADSL UK
Well, this really IS confusing....from Cudni See Profile's link:

The animated-cursor flaw affects all versions of Windows, including Windows Vista, as well as Internet Explorer 6 and 7.

»www.securityfocus.com/brief/473

So what's the deal? You have to visit an infected site or open an email and click on a link that sends you to a site that has these infected cursors on it?
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

All you need to do is use Outlook Express set to Plain Text for reading and then open an email that has embedded ANI files and unless your AV is detecting this, you are infected. If you use default settings for OE then you would get some interactive warning as the email would open in HTML but most folks will ignore the warning and get infected.

»isc.sans.org/diary.html? ··· f99022a6

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna

Premium Member

I've never, ever seen an animated ani file in an email? And why would I open an email from an unknown source who might embed one in an email?

I suppose it could be passed on by someone else who foolishly opened something unknown, but still, that's a long shot. I can't think of anyone I email with who would do that.

Maybe I'm not understanding the mode of propagation with this.

Clicking unknowlingly on an infected website seems like it would be more of a problem to me.

AB57
Premium Member
join:2006-04-04
equatorial

AB57

Premium Member

said by La Luna:

. . why would I open an email from an unknown source who might embed one in an email?
Because you may just have won $100,000.00!! Yes, YOU!!
Or some rich guy may have just died and left you a big pile of money, if only you could assist his Nigerian Executor in getting it to you!
. . Maybe I'm not understanding the mode of propagation with this. . . .
From what I'm reading, it's an old and quite well known javascripting vulnerability.
The new wrinkle seems to be in having .ani files carry out the dirty work.
As best I can make of it. But I could be wrong.

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

1 recommendation

La Luna

Premium Member

said by AB57:
said by La Luna:

. . why would I open an email from an unknown source who might embed one in an email?
Because you may just have won $100,000.00!! Yes, YOU!!
Or some rich guy may have just died and left you a big pile of money, if only you could assist his Nigerian Executor in getting it to you!
. . Maybe I'm not understanding the mode of propagation with this. . . .
From what I'm reading, it's an old and quite well known javascripting vulnerability.
The new wrinkle seems to be in having .ani files carry out the dirty work.
As best I can make of it. But I could be wrong.
Oh crap, this is too confusing.....someone get back to me when it's sorted out, lol....

Now, let me go search for the email from that rich old coot.....

swhx7
Premium Member
join:2006-07-23
Elbonia

swhx7 to NICK ADSL UK

Premium Member

to NICK ADSL UK
Microsoft has known about this since 2006.12, and published an advisory only when exploits were reported. »blogs.zdnet.com/security/?p=143

McAfee says Firefox is not vulnerable. »www.avertlabs.com/resear ··· g/?p=230

I haven't confirmed it, but I suspect that .ani files are run by one of those shell handler things in Windows. I wonder whether a workaround could be as simple as disabling whatever it is in Windows that runs .ani files.

I would be surprised if Firefox downloads .ani files without warning and calls the relevant handler. If anyone reading this has ever seen a Mozilla browser load up and use an animated cursor without asking permission, or if anyone has seen a proof of concept page so we can test it, please post.

Microsoft email software is an infection vector because it uses the IE pieces for interpreting HTML. Use an email client that doesn't rely on IE and you're ok.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

McAfee says Firefox 2.0 is not vulnerable. Many are still using 1.5 and without a POC we can't know if it is or is not vulnerable. Probably not but McAfee may not be right as other security experts say that Fx is vulnerable under some circumstances.

I don't like any other email client. OE is the only email client I have used that I really like.

swhx7
Premium Member
join:2006-07-23
Elbonia

swhx7 to NICK ADSL UK

Premium Member

to NICK ADSL UK
Update:

.ani files are interpreted by user32.dll ( »research.eeye.com/html/a ··· 328.html ), and it also does a bunch of other things in Windows, so unregistering it would not be an option.

The above page also links to a 3rd party patch.

Note: .ani files can be renamed to .jpg or .jpeg and still be effective in this attack.
said by AB57:

Aha! Javascript is most definitely heavily involved.
What that article says about Javascript is only that it's used to redirect the browser to another page where the .ani file is hosted. This is not crucial to the exploit; you could go to an infected site in the first place instead of being redirected. JS is not needed to make a browser download an .ani file.

Finally here is what amounts to a safe POC page.
»www.gdgsoft.com/anituner ··· gCur.htm
It explains that .ani files are delivered with code like this:
<style>
<!--
BODY{ cursor:url("mycur.ani"); }
-->
</style>
And it contains a link, just like the above, to an actual .ani file which apparently is an animated dinosaur. However, for me there was no animation, and no change in the cursor. This was with Seamonkey 1.x with Javascript off. I then turned on Javascript, and got the same result: nothing. Also I downloaded the .ani file and double-clicked it, and the dialog came up asking which program to open it with. This is on Windows 2000 SP4 with a lot of things turned off, including various services and shell dlls ,etc.. Your mileage may vary.
matunga
join:2003-07-26

matunga to Mele20

Member

to Mele20
»securitytracker.com/aler ··· 827.html

This can be exploited via various methods, including HTML and e-mail and is not limited to files with a '.ani' file extension.

This can be exploited via various applications that use the vulnerable Windows functions, including Microsoft Internet Explorer, Windows Explorer, Mozilla Firefox, and Microsoft Outlook.

Users with Internet Explorer 7 running in Protected Mode on Windows Vista are not affected.