NICK ADSL UK
Premium,MVM
join:2004-02-22
| Microsoft Security Advisory (935423) Vulnerability in Window Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
Published: March 29, 2007
Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.
As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
»www.microsoft.com/technet/securi···423.mspx
--
Wilders Security Forum Admin
Microsoft MVP-Windows Security
| |
|
 
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs: | Re: Microsoft Security Advisory (935423) Vulnerability in Window Thanks for posting this. | |
|
The_alt_swhx7
@irs.gov
| I couldn't tell from the writeup - does this affect only IE or can it be exploited via other browsers too? What does Firefox do with the .ani cursors? If there is an animated cursor feature in Firefox, can it be turned off?
(swhx7 posting anon. because of untrusted computer) | |
|
|
 | matunga
join:2003-07-26
4 edits | Re: Microsoft Security Advisory (935423) Vulnerability in Window This flaw is a Windows's flaw, not a browser's flaw. Both browsers IE and Firefox are at risk:
Determina also discovered that under certain circumstances Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer
All applications that use certain Windows API calls are affected, including Internet Explorer, Windows Explorer, Mozilla Firefox and Outlook.
»www.derkeiler.com/Mailing-Lists/···536.html | |
|
| 
bcool
Premium
join:2000-08-25
The Ozarks
| Wow! In one little thread two contradictory assertions:
"Alternative browsers such as Firefox and Opera do not appear to be vulnerable to the attack." »www.vnunet.com/vnunet/news/21868···-attacks
"Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer" »www.derkeiler.com/Mailing-Lists/···536.html
Since Firefox most assuredly calls upon the Windows API, I will err on the side of caution. 
--
"in flagrante delicto" | |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| Whoa! This is nasty! There is NO WAY to protect yourself if you use Outlook Express (even if you use IE7) and even Windows Vista Mail is somewhat vulnerable. From Microsoft Security Advisory (935423):
"Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability."
I have always read all email in OE in Plain Text. That has been excellent protection until this. Alexander Sotirov from Determina recommends reading ALL MAIL with Telnet. That is sure going to be fun.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
|
| 
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Microsoft Security Advisory (935423) Vulnerability in Window said by Mele20  :Whoa! This is nasty! There is NO WAY to protect yourself if you use Outlook Express (even if you use IE7) Don't use an animated cursor? | |
|
| |
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| OK, I can see Fireferret/Moz browsers being vulnerable if a page can get them to call the Windows routines for using a new cursor from an .ani file instead of the regular cursor the user already has going on. But how would that happen?
In several years of surfing with Mozilla/Seamonkey I've never had the cursor become animated. If it did I would have immediately found a way to prevent it, because I find that sort of thing intolerably annoying.
This must not be confused with the substitute cursors that can be specified with stylesheets. With some CSS you can make a compliant browser use a question mark or crosshairs, for example, instead of the usual pointer. An ani cursor, I presume, would be actually moving on its own. | |
|
| 
KachiWachi
join:2004-02-12
PA, USA | Re: Microsoft Security Advisory (935423) Vulnerability in Window I guess you don't visit myspace often then swhx7.  | |
|
| |
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| Re: Microsoft Security Advisory (935423) Vulnerability in Window said by KachiWachi :I guess you don't visit myspace often then swhx7. Well, seriously, if you or anyone can give me a link to a page that has this in it (harmless .ani file that is), I'd like to check it out. PM is OK. | |
|
|
| 
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | Re: Microsoft Security Advisory (935423) Vulnerability in Window Has this patch been tested by any other security vendors? | |
|
rgillis70
Premium
join:2002-12-30
Herndon, VA | Outlook 2007 and IE7 on Vista (as shipped) are not vulnerable to this one. | |
|
|
|
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Microsoft Security Advisory (935423) Vulnerability in Window Well, now I'm thoroughly confused.
This article seems to indicate that Windows animated cursors are not at risk, and the exploit comes from allowing an animated cursor to run on a particular website, or within an HTML e-mail.
WTF?? Am I missing something? Do animated cursor files abound on websites? Do I run them all the time and just not know it?
Or is javascript heavily involved in this?
And do I have to just run some sort of .ani file on a webpage, or actually allow something specific to be downloaded onto my machine, or is user interaction not even required?
I'm not sure what that smell is.
This is either very scary or hardly worth concerning about-- and I'll be damned if I know which right now. | |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| from
»www.securityfocus.com/brief/473
"...
A criminal group responsible for using compromised Web sites to spread malicious software have already started using the latest Microsoft flaw to install their code from at least three servers in China, security experts said on Friday.
.."
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 | |
|
|
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Chinese servers host malicious cursor attacks Aha! Javascript is most definitely heavily involved. Thank you very much, Cudni! 
Still sounds pretty severe, but the javascript aspect is hardly anything new.
I'll continue to disallow it as a general rule, and wait for further developments.
Won't be using any animated cursors, either. | |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland | Any POC anywhere?
Id surely like to check if Im vulnerable with Firefox, because these reports dont clearly say yes or no to that... | |
|
art22gg
join:2005-02-16
Courtenay, BC
| Hi,
There sure seems to be a lot of conflicting stories/confusion going on about this subject.Hopefully the situation will be straightened up with/by someone making a definitive conclusion,about who/what is vulnerable.
MS says per quote--
Mitigating Factors for Animated Cursor Vulnerability
•
Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.--------This is not "Security Focus" is saying!
Art | |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| Seven AV companies have issued protection. My AV is not one of them. I also use Outlook Express. DEFAULT settings in OE are somewhat protective in that interaction is required so for those who wouldn't just ignore and click on through there is some protection. For Plain Text readers though they are actually at the MOST RISK of all. | |
|
| 
bettywont
Premium
join:2004-09-11
Montreal, QC | Re: Microsoft Security Advisory (935423) Vulnerability in Window Could you please list the 7 companies or provide a link so we can have some piece of mind or mental illness.
Thanks | |
|
| | Kiwi
Premium
join:2003-05-26
USA
·Comcast
 ·Aristotle Internet
1 edit | Re: Microsoft Security Advisory (935423) Vulnerability in Window To retain some sanity  Avoid MySpace, use an email client other than outlook (Nobody learns). Disable Java & ActiveX, as most pre VISTA folks do. Check your Reg files on occasion for unsupported changes. Next relax, this to will pass. To date I have not seen any migration into secure sites and that's my only real concern.
[Edit] Stack overflow is how 98% of these work.
Still don't get hard hat foils out until some damage is done from respected folks who know how to secure a rig. Granted, most visiting here have a clue and the general public won't. Net Habits, folks, habits..... | |
|
| | 
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by bettywont :Could you please list the 7 companies or provide a link so we can have some piece of mind or mental illness. Thanks yes
first two links will give you the names and write up of the two badboys detected..
»www.f-secure.com/v-descs/exploit···_c.shtml
»www.f-secure.com/v-descs/trojan-···kv.shtml
AND SANS is the place to monitor that will keep you abreast of those products which seems to detect what is out there.
Windows Animated Cursor Handling vulnerability - CVE-2007-0038
Published: 2007-03-29,
Last Updated: 2007-03-31 11:36:34 UTC
by Maarten Van Horenbeeck (Version: 14)
Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. One specific file was also discovered by a product triggering on a signature written for MS05-002, a similar vulnerability from 2005. This will not apply to most exploits in the wild.
»isc.sans.org/diary.html?storyid=···84c25591
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
| | | Kiwi
Premium
join:2003-05-26
USA | Re: Microsoft Security Advisory (935423) Vulnerability in Window Ah, confirmed Trojan | |
|
| | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Eset has been detecting since Friday morning. Eset has a blog on the exploit.
»eset.com/threat-center/blog/
The list of AV protecting at SANS is NOT up to date. Symantec has been protecting since yesterday and has an Advisory out.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
|
| | | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: Microsoft Security Advisory (935423) Vulnerability in Window said by Mele20 :Eset has been detecting since Friday morning. Eset has a blog on the exploit. » eset.com/threat-center/blog/The list of AV protecting at SANS is NOT up to date. Symantec has been protecting since yesterday and has an Advisory out. Never heard of those companies..but I know Microsoft is detecting the animated curser.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
| | | | | Mele20
Premium
join:2001-06-05
Hilo, HI | Re: Microsoft Security Advisory (935423) Vulnerability in Window Did yu forget a smilie?
I'm sure you have heard of Eset (NOD32) and we all know about Norton! So, that was meant as a sarcastic reply? | |
|
| | | | | | Kiwi
Premium
join:2003-05-26
USA
·Comcast
·Aristotle Internet
| Re: Microsoft Security Advisory (935423) Vulnerability in Window said by Mele20 :Did yu forget a smilie? I'm sure you have heard of Eset (NOD32) and we all know about Norton! So, that was meant as a sarcastic reply? I don't know the site you linked, but there is no worm code there, it's all trojan based MD5 hash. Not sure I would venture out of known waters | |
|
| | | | | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by Mele20 :Did yu forget a smilie? I'm sure you have heard of Eset (NOD32) and we all know about Norton! So, that was meant as a sarcastic reply? I think they are all working on the ones they can find.. ..but so far it really seems to be a no show..and a few duds.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
| | |
bettywont
Premium
join:2004-09-11
Montreal, QC | Name Game and all thanks
If anyone applied the patch does it show up in the ''ADD/REMOVE'' Where exactly does it show up, please!! | |
|
|
| Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Microsoft Security Advisory (935423) Vulnerability in Window All you need to do is use Outlook Express set to Plain Text for reading and then open an email that has embedded ANI files and unless your AV is detecting this, you are infected. If you use default settings for OE then you would get some interactive warning as the email would open in HTML but most folks will ignore the warning and get infected.
»isc.sans.org/diary.html?storyid=···f99022a6
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
|
| | |
| | |
AB
Premium
join:2006-04-04
Leesburg, VA
| Re: Microsoft Security Advisory (935423) Vulnerability in Window said by La Luna :. . why would I open an email from an unknown source who might embed one in an email? Because you may just have won $100,000.00!! Yes, YOU!!
Or some rich guy may have just died and left you a big pile of money, if only you could assist his Nigerian Executor in getting it to you!
. . Maybe I'm not understanding the mode of propagation with this. . . . From what I'm reading, it's an old and quite well known javascripting vulnerability.
The new wrinkle seems to be in having .ani files carry out the dirty work.
As best I can make of it. But I could be wrong. | |
|
| | | | 
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
 ·Vonage
| Re: Microsoft Security Advisory (935423) Vulnerability in Window said by AB :said by La Luna :. . why would I open an email from an unknown source who might embed one in an email? Because you may just have won $100,000.00!! Yes, YOU!! Or some rich guy may have just died and left you a big pile of money, if only you could assist his Nigerian Executor in getting it to you! . . Maybe I'm not understanding the mode of propagation with this. . . . From what I'm reading, it's an old and quite well known javascripting vulnerability. The new wrinkle seems to be in having .ani files carry out the dirty work. As best I can make of it. But I could be wrong. Oh crap, this is too confusing.....someone get back to me when it's sorted out, lol....
Now, let me go search for the email from that rich old coot.....
--
~~Don't wanna' fight in a holy war...World war III when are you coming for me? Been kicking up sparks, we set the flames free...the windows are locked now so what'll it be? A house on fire or a rising sea?...~~
| |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| Microsoft has known about this since 2006.12, and published an advisory only when exploits were reported. »blogs.zdnet.com/security/?p=143
McAfee says Firefox is not vulnerable. »www.avertlabs.com/research/blog/?p=230
I haven't confirmed it, but I suspect that .ani files are run by one of those shell handler things in Windows. I wonder whether a workaround could be as simple as disabling whatever it is in Windows that runs .ani files.
I would be surprised if Firefox downloads .ani files without warning and calls the relevant handler. If anyone reading this has ever seen a Mozilla browser load up and use an animated cursor without asking permission, or if anyone has seen a proof of concept page so we can test it, please post.
Microsoft email software is an infection vector because it uses the IE pieces for interpreting HTML. Use an email client that doesn't rely on IE and you're ok. | |
|
| Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Microsoft Security Advisory (935423) Vulnerability in Window McAfee says Firefox 2.0 is not vulnerable. Many are still using 1.5 and without a POC we can't know if it is or is not vulnerable. Probably not but McAfee may not be right as other security experts say that Fx is vulnerable under some circumstances.
I don't like any other email client. OE is the only email client I have used that I really like. | |
|
| | matunga
join:2003-07-26
| Re: Microsoft Security Advisory (935423) Vulnerability in Window »securitytracker.com/alerts/2007/···827.html
This can be exploited via various methods, including HTML and e-mail and is not limited to files with a '.ani' file extension.
This can be exploited via various applications that use the vulnerable Windows functions, including Microsoft Internet Explorer, Windows Explorer, Mozilla Firefox, and Microsoft Outlook.
Users with Internet Explorer 7 running in Protected Mode on Windows Vista are not affected. | |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| Update:
.ani files are interpreted by user32.dll ( »research.eeye.com/html/alerts/ze···328.html ), and it also does a bunch of other things in Windows, so unregistering it would not be an option.
The above page also links to a 3rd party patch.
Note: .ani files can be renamed to .jpg or .jpeg and still be effective in this attack.
said by AB :Aha! Javascript is most definitely heavily involved. What that article says about Javascript is only that it's used to redirect the browser to another page where the .ani file is hosted. This is not crucial to the exploit; you could go to an infected site in the first place instead of being redirected. JS is not needed to make a browser download an .ani file.
Finally here is what amounts to a safe POC page.
»www.gdgsoft.com/anituner/help/SavingCur.htm
It explains that .ani files are delivered with code like this:
<style>
<!--
BODY{ cursor:url("mycur.ani"); }
-->
</style> And it contains a link, just like the above, to an actual .ani file which apparently is an animated dinosaur. However, for me there was no animation, and no change in the cursor. This was with Seamonkey 1.x with Javascript off. I then turned on Javascript, and got the same result: nothing. Also I downloaded the .ani file and double-clicked it, and the dialog came up asking which program to open it with. This is on Windows 2000 SP4 with a lot of things turned off, including various services and shell dlls ,etc.. Your mileage may vary. | |
|
|
See 11 replies to this post |
|
daveinpoway
Premium
join:2006-07-03
Poway, CA
| I installed Blink Neighborhood Watch from eEye yesterday; they claim this will protect my PC from this problem, but I haven't found any test site to verify if I am indeed protected or not. Since I am using Zone Alarm Pro, I disabled both firewalls in BNW; hopefully, the protection against this malware is still present without BNW's firewalls, but who knows for sure? | |
|
| Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Microsoft Security Advisory (935423) Vulnerability in Window I'm curious why you didn't install their patch instead?
What AV do you have? Most are protecting against it now..but not mine and it is ironic because Avira adds more definitions than anyone just about. | |
|
| | rhatsaruck
join:1999-08-12
West Palm Beach, FL | Re: Microsoft Security Advisory (935423) Vulnerability in Window Has any firm explained how to determine if you are already infected? The Microsoft advisory is silent on this matter as is Symantec, my AV vendor. | |
|
| | | 
vircotto
join:2002-06-04
Illinois
| Re: Microsoft Security Advisory (935423) Vulnerability in Window Symantec has now addressed this.
»www.symantec.com/outbreak/animat···ity.html
...
Users of Outlook 2002 (or later) or Outlook Express 6 Service Pack 1 or later can mitigate the risk of being compromised via an email with a malicious animated cursor by reading email messages in plain text format.
Symantec Security Response has released virus definition signatures that will detect threats that attempt to exploit this vulnerability. These threats will be detected as Bloodhound.Exploit.131. Certified virus definitions dated March 30, 2007 or later contain this detection. | |
|
| | | | rhatsaruck
join:1999-08-12
West Palm Beach, FL
1 edit | Re: Microsoft Security Advisory (935423) Vulnerability in Window vircotto, Symantec has not addressed my issue. They do not explain how to determine if one has been infected.
In addition, the Symantec info you quoted
Outlook Express 6 Service Pack 1 or later can mitigate the risk of being compromised via an email with a malicious animated cursor by reading email messages in plain text format.
contradicts Microsoft's info. Microsoft claims
Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability. | |
|
| daveinpoway
Premium
join:2006-07-03
Poway, CA
1 edit | AV is (was) Avast. You're right that I could have installed the patch, but the lure of Blink protecting you against future zero-day stuff was strong.
Anyway, I am now using Blink Personal Edition, for which eEye offers a free 1-year license (I don't know if you can renew it for free when it expires, but I'll concern myself with that next April). So, I removed Zone Alarm Pro, Avast and some other anti-malware stuff from my system. One thing I see is that BPE scans much faster than Avast. Avast took about 2.5 hours to scan my C drive, but BPE does a full scan in a little more than an hour. | |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Usage note Mitigate, whose central meaning is “to lessen” or “make less severe,” is sometimes confused with militate, “to have effect or influence,” in the phrase mitigate against: This criticism in no way militates (not mitigates) against your going ahead with your research. Although this use of mitigate occasionally occurs in edited writing, it is rare and is widely regarded as an error.
not mitigate (make less severe) attempts to exploit
can mitigate (make less severe) the risk
maybe attempts to exploit is not considered to be a risk in plain text.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| "Because simply previewing an HTML e-mail message can result in an infection, Microsoft also provided additional details late yesterday on which of its e-mail clients are safest to use. According to Adrian Stone, an MSRC program manager, Outlook 2007 is invulnerable, as is Vista's Windows Mail -- as long as users don't reply or forward the attacker's messages. The SANS Institute's testing, however, contradicted Microsoft; by SANS' account, Outlook Express in Windows XP, Windows Mail in Vista, and Outlook 2003 in any version of Windows puts users at risk when they simply preview a malicious message. They don't have to actually open the message to be in danger of an infection.
In-the-wild attacks, said Dunham, have been limited so far to those against Windows XP SP2 through Microsoft's Internet Explorer 6 and 7 (IE6 and IE7) browsers. But that won't likely remain the case for long. "Our tests prove that trivial modification is all that's required to update the payload and functionality on multiple operating system builds," he said.
And while Microsoft yesterday said Vista's version of IE7 protects users, eEye's Brown added that browser-based attacks aren't the only game in town. "I get the PR [public relations] angle they're going down, but there are all sorts of ways this can come in, including HTML e-mail. Vista's not immune."
»www.computerworld.com/action/art···=9015138
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
Kiwi
Premium
join:2003-05-26
USA
2 edits | I have not read all responses, but this appears like a Java based exploit. Interesting.
[Edit]
This seems more Trojan based, than either a virus or worm. The Java aspect seems related to an indirect ASPI hook. | |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| I love it when every AV house expert claims they have the skills to squeeze one off with a little extra effort that Microsoft will never hear but everyone will smell...but I am really waiting for the surgeons to come in and go to work.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
|
|
|
|
