Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | reply to NICK ADSL UK
Re: Microsoft Security Advisory (935423) Vulnerability in Window
ZERT has just issued a patch that, unlike the eEye one, addresses the core of the vulnerability. A POC is also provided to see if the patch has been installed properly and is working. GRC Security NewsGroup notes that the patch is not completely stable.
ZERT also explains that this exploit is a result of someone taking advantage of Microsoft's sloppiness when they fixed the earlier ANI exploit MS05-002. Sigh. Will Microsoft ever get serious about security so this sort thing doesn't keep happening?
From ZERT:
"The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the "anih" chunk—giving an attacker an easy route to overflow the stack and gain control of the execution of the process.
With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two "anih" chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered."
»isotf.org/zert/advisories/zert-2007-01.htm
For W98 users it should be noted that this patch WORKS ON W98.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
| Our gentle readers may run across two different forms of the link.
»isotf.org/zert/advisories/zert-2007-01.htm
The download works from this link.
»zert.isotf.org/advisories/zert-2007-01.htm
The download doesn't work from here; 404 error.
The second link is a mirror:
»isotf.org/zert/advisories/zert-2007-01.htm
04/01/07 20:57:09 dns isotf.org
Canonical name: isotf.org
Addresses:
209.151.108.139
»zert.isotf.org/advisories/zert-2007-01.htm
04/01/07 20:56:43 dns zert.isotf.org
Canonical name: zmirror.isotf.org
Aliases:
zert.isotf.org
Addresses:
209.151.108.133 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to NICK ADSL UK
Larry Seltzer has an interesting piece on the ANI attacks:
"I don't often get this mad at a vendor. I'm usually more inclined to feel sorry for them for all the grief they'll take when they screw up, but Microsoft deserves massive grief from this. Like the WMF bug, this is likely to be an endemic attack for years to come, lurking around the background of the Internet, and it needn't have happened."
I agree.
»www.eweek.com/article2/0,1895,2110151,00.asp
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to Mele20
Thanks for ZERT article. I tried poc page, with no patch installed, using both IE7 and FF and no crash with either. Both time displayed
"you do not appear to be vulnerable to the ie ani cursor exploit ..."
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006-2007 |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to NICK ADSL UK
Chinese Internet Security Response Team is reporting on a new worm using the ANI exploit to spread.
This is real and we've confirmed it: however, we've only received six customer reports so far.
We detect the main worm file as Trojan-Downloader.Win32.Agent.bkp and the files downloaded by the worm mostly as different variants of Trojan-PSW.Win32.OnLineGames.
The worm tries to locate all HTML files from the system and modifies them to insert a script that loads an ANI file from macr.microfsot.com. When such web pages files are viewed or uploaded to a webserver, they will spread the infection further.
In addition of spreading via the ANI exploit, it also tries to spread via USB stick and other removable media.
Easy way to confirm an infection is the existance of tool.exe and autorun.inf in the root of every drive, or sysload3.exe dropped to SYSTEM32 folder. Sysadmins can monitor their outgoing email to spot this. Mails sent to addresses like 578392461@qq.com, 47823@qq.com or 3876195@qq.com would indicate an infection.
»www.f-secure.com/weblog/
»www.f-secure.com/v-descs/agent_bky.shtml
»www.cisrt.org/enblog/read.php?68
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | I posted that information in this thread yesterday and was told twice by Kiwi that I was posting a trojan link which I was not ...people don't read! First Kiwi and now you.  But from the BoClean thread I learned that some things have to be repeated ad nauseum so I guess it doesn't hurt for you to repeat what I already posted.
»Re: Microsoft Security Advisory (935423) Vulnerability in Window |
|
ModemHead
hmmm... what does this do?
Premium
join:2006-01-22
Apex, NC
1 edit | reply to Cudni
It appears that the ZERT site is mirrored (as per Bob above) and the cursor files that are embedded referenced in the POC test page do not exist on one of the mirrors (as of 10pm EDT).
The working test page is:
»zert.isotf.org/tests/testani.htm
The non-working test page is:
»isotf.org/zert/tests/testani.htm
The non-working test page will never do anything but tell you that you are not vulnerable, even if you are.
The ZERT people seem to be a little confused, I wouldn't recommend loading any patches from there at this time... |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Cudni
said by Cudni  :Thanks for ZERT article. I tried poc page, with no patch installed, using both IE7 and FF and no crash with either. Both time displayed "you do not appear to be vulnerable to the ie ani cursor exploit ..." Cudni That may not be accurate. The Zert page if followed from some links will not download the patch and will also show invalid information if you do the test from that link. There are a bunch of posts about it at GRC Security NG. If you can download the patch from the link you used for the test then probably you are on the valid link.
Some are so suspicious as to not test or download the patch because the ZERT icon is missing from the page. As I understand it, Internet Storm Center has an invalid (or did as they have been notified and may have fixed it) link to the ZERT page so if you used that link the test in invalid. If you used the link I posted, it should be a valid test....I think...but my head is reeling from stuffing too much about this into it. Really is beginning to remind me of the days right after WMF was discovered and tomorrow being the first work day ...oh, boy.
I have not done the test or installed the ZERT patch althought I did download it. I had enough taste of danger last night trying to get rid of the POC that I let IE download. If I had downloaded that file to the desktop...eegads! would I have had a mess as Explorer would have gone into an infinite crash/reboot loop. Luckily, out of habit, I let it download to the usual Downloaded Programs folder that I use. Explorer wouldn't let me in the folder. It would crash if I got near the folder. It took Command Line (which I am not good at) to get into the folder and there was question about an active handle maybe being held open by it and if so I might not have been able to have deleted it that way. Luckily, after several tries (had to reboot and not let Explorer anywhere near the Downloaded Programs folder) and help with trying various commands, I got it deleted. That was enough excitement for me for awhile. 
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
1 edit | reply to Mele20
said by Mele20 :I posted that information in this thread yesterday and was told twice by Kiwi that I was posting a trojan link which I was not ...people don't read! First Kiwi and now you. But from the BoClean thread I learned that some things have to be repeated ad nauseum so I get it doesn't hurt for you to repeat what I already posted. » Re: Microsoft Security Advisory (935423) Vulnerability in Window 
Nonesense..you posted no f-secure links..and the cisrt.org link you posted has now been updated..and happens to also be incorporsted at the f-secure site..the info is all new..
and on top of it all this badboy ANI is pretty much of a NO SHOW to date in the wild..one of the slowest worms I have seen in a long time..compared to all the sky is falling dumps the AV houses are yelling about..heck they even have to share copies of them to even reverse engineer them.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/ |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| OK. If the information is updated then good to post that but I don't see why it has to be posted from the FSecure link. What was wrong with my original link and just indicating that had been updated? But I don't want to split hairs...as I said repeating stuff in these forums seems to a necessity for a variety of reasons. |
|
ModemHead
hmmm... what does this do?
Premium
join:2006-01-22
Apex, NC
| reply to Mele20
The cursor files (there are two) at ZERT are not quite so potent. They immediated crashed IE6 on my fully-patched XP Pro SP2 system. But they had no effect on Windows Explorer, even when I changed the extensions from JPG to ANI. No hung threads with open handles in Explorer either, as with the other POC from last night that you had so much fun with.
Also, this ZERT POC page has zero effect on Firefox 2.0.0.3. The CSS code is actually syntactically incorrect, so Fx doesn't even attempt to get the cursor files. |
|
SpannerITWks
Premium
join:2005-04-22
| reply to NICK ADSL UK
Tested with IE6 on 98SE -
No crash, no problems !
What i found strange was that a " Security " www would require you to have Flash and Active Scripting and/or ActiveX enabled ?
As i don't have those things enabled by default, i didn't see anything.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Mele20
said by Mele20 :OK. If the information is updated then good to post that but I don't see why it has to be posted from the FSecure link. What was wrong with my original link and just indicating that had been updated? But I don't want to split hairs...as I said repeating stuff in these forums seems to a necessity for a variety of reasons. you already split hairs and did not even read the links muchless the f-secure write up at the first or second link posted when you finally do it will answer your own question. Settle down..and spend some time reading rather than training anyone how to post.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to NICK ADSL UK
spanner,
correct..that is just their way of playing around to make people happy..so do not get the impression that activeX or flash is any part of what is out there.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
ModemHead
hmmm... what does this do?
Premium
join:2006-01-22
Apex, NC
| reply to SpannerITWks
said by SpannerITWks :What i found strange was that a " Security " www would require you to have Flash and Active Scripting and/or ActiveX enabled ? The link you followed from the test page to get a flash-based page is isoft. The original site is isotf. Typo?
These ZERT folks sure do have a lot of problems. But they are linked from SANS. |
|
planet
join:2001-11-05
Olmsted Falls, OH | From Wilders:
»www.wilderssecurity.com/showthre···t=170459 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Name Game
I have been reading for five hours and almost all of that time has been on this! I still haven't read the F-Secure link..will do, but time for a bit of a break. Avira just updated and has a new engine and detects this now heuristically. (But their information pages are somewhat incorrect and some are in German only and Google translation is not very helpful). |
|
ModemHead
hmmm... what does this do?
Premium
join:2006-01-22
Apex, NC | reply to NICK ADSL UK
Official patch due on Tuesday 3-Apr
»MS Security Bulletin Advanced Notification for 4/3/2007 |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to planet
Re: Microsoft Security Advisory (935423) Vulnerability in Window
Poor guy..hope someone lets him know the score with his AV and what to do next.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Just Bob
Premium
join:2000-08-13
Spring Hill, FL
1 edit | reply to NICK ADSL UK
Apparently the critical update scheduled for April 3 is a patch for the ani exploit.
»blogs.technet.com/msrc/archive/2···423.aspx
It only stands to reason, as I just installed the zert patch.  |
|
