Windows Vulnerability in Animated Cursor Handling

MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."

First Pwndst

So much for Vista being secure from the ground up!

Re:First Pwndst

[Luscious868]

So much for Vista being secure from the ground up!

Vista is secure from the ground up ... just so long as your running it in a VM on some other OS.

Re:First Pwndst

[present_arms]

According to the BBC Vista and IE7 are immune to the attack

Security firms said users can stay safe from this vulnerability by using an alternative browser, such as Opera or Firefox 2.0, with Windows. Also protected are those using Windows Vista with Internet Explorer 7.0. All The Best Your Friendly Linux User Alie

Re:First Pwndst

'With', not 'and'. In other words, IE7 on XP could still be vulnerable, or Vista could by opening the cursor file through some non-IE7 means.

Re:First Pwndst

Vista w/ Windows Mail seems to be vulnerable.

Re:First Pwndst

It was. The vulnerability still affects Vista, but due to the different security subsystem the exploit can't really do anything. It sits stuck in a "protected mode" IE7 instance which can't do anything, not even fuck with the current user's profile. The exploit is effectively contained at that point.

Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.

You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.

Re:First Pwndst

[Griffinart]

Windows Mail can be vulnerable but only if you were to forward or reply to a message using the exploit. Office 2007 is not affected by the exploit. As mentioned if you are running IE7 under Vista you are not vulnerable to hostile web sites using this exploit.

Re:First Pwndst

[seaturnip]

Just out of curiosity: what is a lie in what the grandparent said?

Re:First Pwndst

[shadanan]

This is of course assuming the user doesn't accidentally click "Allow" when the cursor exploit requests admin privileges to continue.

Re:First Pwndst

As long as there are idiots that ACTUALLY click on malicious websites and open malicious emails, holes like these will always be there in ANY OS. The hackers and virus writers that find these holes are smart (I don't know why anti-MS people think they are dumb), just like any business men/women. They think ROI! Why wouldn't they target the OS that is running on 95% of the worlds computers? In the foreseeable future, that percentage is not going to change. There ARE holes in the other OS's and applications but smart hackers won't spend time on something that has a very low ROI. Linux distributions and OS X have had patches rolled out and security holes fixed... the only difference is that their developers have loads of time, since no one is calling out their code.

Its human nature and as we know humans aren't perfect so their creations won't be either.

Re:First Pwndst

[Frizzle+Fry]

IE is safe in Vista because it runs in a super locked-down "protected mode". Windows Mail (aka Outlook Express) doesn't, so it makes sense that IE7 in Vista is immune to this but Mail isn't.

Re:First Pwndst

[eli+pabst]

IE7 on Vista is protected, but what about Vista Mail? Dshield lists Vista as being vulnerable, even when it's set to read as plaintext:

http://www.dshield.org/indexd.html

Re:First Pwndst

[eli+pabst]

Sorry, should be "unless it's set to read in plaintext". Forward/reply in plaintext are still vulnerable.

Re:First Pwndst

[k1e0x]

That is only if protected mode is on right.. so all this allows the 'sploit to do is download all of the user files and use /view any other process that the user has right to?

Yeah dude.. I don't see what the problem is either. Vista is mighty suck'ure.

Re:First Pwndst

[Giometrix]

"That is only if protected mode is on right.. so all this allows the 'sploit to do is download all of the user files and use /view any other process that the user has right to?"

I believe you're always in "protected mode;" even when you're on an admin account you're still not in "super user" mode.

Re:First Pwndst

[Bungie]

The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.

Re:First Pwndst

[celkin]

Moral of the story: get a Tablet PC or a touch screen.

Re:First Pwndst

[Verte]

"You can't stop vulnerabilities"

You sure can. Especially the simple buffer overflow stuff like this. Arguments about protected IE7 aren't relevant, because it's not IE7 that handles the animated cursor [it only loads it]. Only browsers that don't load animated cursors by default fix the problem. Further, the point that this is arbitrary code execution means that the code runs with full ring-4 privileges [unless this exploit runs on Alpha too, then I'm not sure what happens, although you were specifically referring to Vista which doesn't], which is the same level that system services run in. So really, you can't mitigate the effect much at all. I'm no expert on the ring-0 processes in Windows or the glue that binds them to the rest of the system, but I imagine there's some things an exploit of this kind can do [such as accessing your TCP/IP stack and file system] and things it can't [such as making Windows use a new TCP/IP stack of the cracker's creation- but if you've got the privileges above, why bother?]. So now that we've gotten rid of the "this is not really MS fault" suggestion and removed your false sense of security in "protected" mode, where does that leave us?

Why would my cursor run as root?

[Dr.+Zowie]

Huh? This boggles the imagination. I would have thought they'd have learned about security rings while rebuilding their entire OS from the ground up (as Longhorn was reputed to do).

Re:Why would my cursor run as root?

[The+MAZZTer]

It doesn't run as root, it can run in any security context. This exploit just crashes explorer, it doesn't crash Vista. However this is still a problem for Joe Average, who won't know what to do when explorer goes into a crash-restart-crash loop.

Re:Why would my cursor run as root?

[644bd346996]

What part of "Successful exploitation allows execution of arbitrary code." do you not understand? This is a hole that lets crackers do a lot more than crash your computer.

Re:Why would my cursor run as root?

What part of "Successful exploitation allows execution of arbitrary code." do you not understand?

Successful.

Re:Why would my cursor run as root?

[FreshMeat-BWG]

Who cares if it runs as root or not? It really doesn't make too much of a difference except on a multi-user system. I don't care about my OS installation--that is easy to do again. What I do care about is my data. Deleting or corrupting files in my user profile directory (C:\Documents and Settings\user\* or /home/user/* -- take your pick) is digital death for me (assuming a backup will not restore properly or new data hasn't been backed up yet).

It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".

Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.

Re:Why would my cursor run as root?

[spun]

Microsoft's advisory says that IE7 runs in protected mode in Vista, thus it is "protected from currently known web based attacks" and the exploit can only crash the browser not execute arbitrary code. It's in the "Mitigating Factors for Animated Cursor Vulnerability" section.

"In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user consent." -- From the Windows Vista: Features Explained site.

Unless of course the user has been driven insane by all the "Cancel or Allow?" questions and would readily click "Allow" even in a dialog box asking, "Your computer would like to strangle you with its power cord. Cancel or Allow?"

Re:Why would my cursor run as root?

[644bd346996]

Sure, but this is still a zero-day exploit for everybody who hasn't upgraded to Vista, and everybody who hasn't turned on IE7 Protected Mode. (The MS website seems to imply that IE7 Protected Mode is not the default). That leaves at least 95% of the installed base of desktops vulnerable.

Re:Why would my cursor run as root?

yes but if it runs as root, it can install a zillion of spywares and other sh*t like that..

Re:Why would my cursor run as root?

[Bromskloss]

go ahead and issue "rm -rf ~"

Ah, I do that all the time. It's refreshing. Fortunately, I store all my data outside my home directory.

Re:Why would my cursor run as root?

[jfengel]

Root exploits have the ability to screw other users besides you, and I think that's where the Slashdot ethos comes in. If you screw yourself it's because you weren't l33t enough to protect yourself. If you get screwed by some other user because the OS didn't protect you, then your l33t-ness goes down.

So everybody's willing to accept a system that lets users screw themselves (ha ha!) but not you. And running a system that gives you the rope you need to hang yourself means you must be pretty l33t since you're too smart to fall for any traps.

Re:Why would my cursor run as root?

Who cares if it runs as root or not?

You're missing the point, so are many others. If it runs as root/admin it means it can easily makes itself completely invisible to the system. Fake infos given to an anti-virus, etc. Completely stealth. It also means it can spy you silently in the background. If an exploit is root, the only way to detect it is from another system. You simply can't trust your OS anymore, unless you reinstall everything from scratch. What makes you think a local exploit would detect your data or a root exploit would trash your whole OS? This is not what exploit do. Exploits nowadays are used to zombify machines (way more effective when the exploit is a root exploit) and to steal user data, to fake your identity. Also much more likely to succeed if the exploit is root (on some OSes, including some Windows version, you can't install a key-sniffer unless you're root).

What is worse to you: having all your data stolen/erased once or having all your passwords sniffed, everything you type spied for months and regularly sent to some bad guy and having all your personal data sent and then, at one point, deleted?

The level of short-sightedness of your comment is quite sad. Oh, and my data are backup up daily to a server running in a VM and weekly burned on DVD. If deleting your user dir is "digital death" for you, you'd better learn 101 about backups and also, probably, invest in some RAID setup (you do realize that, if a trojan destroying your data would be "digital death" [sic] to you, a nasty hard disk could "digitally kill you" right?)

And anyway, on most systems, once you've got a remote non root exploit it is usually easy to combine it with a local root exploit... So it is true that I don't care very much about wether the exploit is root or not: I'd consider a Unix with a seamingly non-root exploit exploited to have been completely rooted and so do I for Windows machine.

Re:Why would my cursor run as root?

It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".

My god, you're a dumbass. Why the hell is this modded up? Seriously, answer me.

Re:Why would my cursor run as root?

You can do the following in any linux system (probably UNIX too): write a cron job that backs up important files on a directory that normal users cannot access every day. even set nice +20 and ionice it as well, so you won't notice it at all. That's it. If you like complex solutions though, of course you can configure SELinux or Apparmor to restrict the applications that are allowed to write to important data.

Re:Why would my cursor run as root?

[lostboy2]

From the MS security advisory:

An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

So, it doesn't give the attacker root privileges unless the user has them.

What I'd like to know is if there's a way to disable animated cursors in WinXP professional.

Re:Why would my cursor run as root?

The parent comment is pretty stupid. If you can trust your computer, you can trust that it will take care of your files (like, automated daily backups). If you don't trust your computer (i.e. you let software run as root), your files won't be safe whatever you do.

Re:Why would my cursor run as root?

[Afecks]

The MS website seems to imply that IE7 Protected Mode is not the default

It is on by default for all but the trusted zone.

That leaves at least 95% of the installed base of desktops vulnerable.

Or you know.. not..

There seems to be about 15% of us that are just so crazy we switched our browsers to Firefox or Opera... I would recommend it.

Re:Why would my cursor run as root?

[init100]

Microsoft's advisory says that IE7 runs in protected mode in Vista

I guess this would be a suitable place to make some joke about protected mode vs real mode in Windows, but I can't think of any. :(

Re:Why would my cursor run as root?

If you think the parent is stupid, then I don't think you understand they are saying. To him or her (and to many others), the critical data that is important are the Documents, Pictures, etc. that are stored in the user profile (/home, C:\Documents and Settings, or whatever else). Because of this, even if you don't run as root, there is still a chance your important data can become corrupted or erased altogether. So to him or her, running as root is beside the point.

Re:Why would my cursor run as root?

Redicolous argument. You'd be just as hosed by a hardware fault. You'd better log out and run to buy some tape/cdr, if you really value your data that highly since you apparently don't do backups..

Re:Why would my cursor run as root?

[illegalcortex]

I've often thought application sandboxing should be a fundamental aspect of OS design. Why should IE have access to anything other than its cache and a download directory? Why should MSWord be able to hit C:\Program Files\Mozilla? These kinds of things should be exceptions which are explicitly allowed. Unfortunately, I think such a system would be difficult for many users to understand. But if it could be made to work right, it would be inherently much more robust.

Re:Why would my cursor run as root?

[Locutus]

you this that's bad, there was another security flaw in the mouse code announced over 15 months ago( Jan 05 ). They patched that but never examined the code for other exploits. I mean really, if you've got SOOO much freaking legacy code, you'd atleast want to be refactoring what you have to touch because of bugs or, for example, security holes.

http://www.checkpoint.com/defense/advisories/publi c/2005/cpai-2005-06.html

But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.

Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.

LoB

Re:Why would my cursor run as root?

[libkarl2]

Animation of the cursor is just one of hundreds, possibly thousands of duties performed by the OS's graphics subsystem. Like many other peripherals, the graphics subsystem is hardware, controlled by one or more software drivers, and managed by the OS kernel in some way.

Even on Linux -n- *BSD, the graphics subsystem (X server) runs as root. CMIIW; in the case of most MS products, the graphics subsystem runs inside kernel space also. Basically, thats the highest possible privelege level possible w.r.t. software Once kernelspace is compromised, game over. The sad ancient rule of thumb here is that whole system is compromised beyond repair and its time to reinstall. That goes for Windows, Linux, *BSD, Solaris, OS X, OS/2, Plan9, Minix... virtually all possible operating systems.

Re:Why would my cursor run as root?

Parent IS stupid, because if he/she loses data so what? There *should* be a backup, anything else *is* stupid. Also, if the system is rooted, how do you know you can trust your data at *all*? I say, rm -rf my homedir any day, fuck you, I've got a back up, and I'd notice immediately something was wrong. But I bet you'd hate having me rooting your system...

Re:Why would my cursor run as root?

[TheLink]

Uh, then run your browser as another user, or in a virtual machine.

Works for me. I run firefox as a different user from my main user account. I run IE in a vmware server virtual machine (and nowadays I even run that IE using a different user account - coz I do IM and use MS viewers in that vm ).

If stuff happens I can just click "revert" on the virtual machine and it's back to what it was.

What would worry me would probably be a graphics, sound or network driver exploit.

Re:Why would my cursor run as root?

[rbochan]

...But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product...

You say that like it's a new thing.

Re:Why would my cursor run as root?

[Rutulian]

Well, as another poster already said, it would be best if untrusted applications (like web browsers) were run as a different user from your main account. The only way it could access your data would be to require a password for privilege escalation. Unfortunately I don't know of any OS that does this. SELinux is neat, but I'm not sure it can do this without being overly restrictive.

Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.

Re:Why would my cursor run as root?

[rwhamann]

All the posters criticizing parent seem to be misinterpreting the parent's emphasis. He's trying to say that a user-level exploit is still pretty f**ing bad because while it can't do the 'leet' stuff, it can still attack what's most important to him - his data.

Re:Why would my cursor run as root?

"rm -rf ~" would require root to complete successfully...

Re:Why would my cursor run as root?

If the data you have is truly valuable, why don't you protect it (as well as gain the added value of change history) by putting it under a configuration management architecture.

Re:Why would my cursor run as root?

[klubar]

FYI... protected mode is the default. You have to try pretty hard to disable it... Of course Adobe in their infinite wisdom requires you to turn off protected mode to be able to write PDF (using acrobat) from IE. More adobe's fault than anything else.

Re:Why would my cursor run as root?

Yeah, this cursor exploit had been around since the dark ages. It surprises me that it's not fixed yet. It's really a simple thing, make it so the cursor cannot be changed unless explicitly in control panel then require a password to allow it, not a simple yes/no question.

Re:Why would my cursor run as root?

[secPM_MS]

I will start this response with noting that I work a security team at MS that deals with OS security issues.

Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features. MS took an enormous step in security with their release of IE 7. This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.

In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.

Until a patch is released, turn off active cursors.

All features add attack surface. If you are more concerned about security, such as I am, you will disable features that are neat, but don't add much functionality. I suspect that most users like the neat eye candy.

As for me, I am running Vista on a notebook in power saving mode. I went into advanced settings and optimized for performance, thereby disabling aero / glass. I then went into the control panel and turned off sidebar. I run explorer in Windows classic mode. And yes, I routinely work in a command prompt.

I browse with IE in protected mode. I have gone into the advanced settings and turned off scripting, multi-media, explicitly disabled flash/shockwave, active code, etc. If web sites were understandable in plain text, I would turn of images as well. I would expect that most other browsers would be reasonably safe with such lockdowns -- but much of the web might as well not exist for such restricted browsers. Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.

Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without replacement and an Apple policy that required me to keep buying new OS releases at ~ $150 about every 2 years to keep my security updates, I came to truly appreciate the long term and transparent MS support.

Re:Why would my cursor run as root?

[FreshMeat-BWG]

Yes...you get the point. user-level exploit is virtually as bad to me as root-level Valid differences others have pointed out: a) root-level can be sneakier and circumvent anti-virus, spy-ware, etc. b) root-level can affect all users (not an issue on my personal desktop) c) root-level may require an OS re-install in addition to a data restore

Re:Why would my cursor run as root?

[I'm+Don+Giovanni]

"There seems to be about 15% of us that are just so crazy we switched our browsers to Firefox or Opera... I would recommend it."

I thought this was an OS problem, such that any browser would be affected if they run the malicious animated cursor (though IE7 in protected mode would not allow any real damage). No?

Re:Why would my cursor run as root?

[toadlife]

It can do that without root too. It would just have to install them in the user's space. It can't do nasty things like hook the kernel though - which is good.

Re:Why would my cursor run as root?

[toadlife]

I believe you are right and I believe that it will be in the future. Microsoft is introducting a form of it with Vista (IE protected mode is made possible by MIC), and Linux vendors like Novell (App Armour) and Redhat (SELinux) have been deploying it for awhile now.

Re:Why would my cursor run as root?

[Locutus]

no, it's just that there's a whole crop of newbies who just don't know the history. You know, the ones with the glazed eyes and with "Microsoft" tattooed on their foreheads. ;-)

LoB

Re:Why would my cursor run as root?

[shutdown+-p+now]

Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features.

Let's see.

• Internet Explorer 7
• Firefox 2.x
• Opera 9

Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?

MS took an enormous step in security with their release of IE 7

If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.

This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.

It already haven't been. The guys who found the exploit say that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.

In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.

It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.

Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?

Until a patch is released, turn off active cursors.

HOW? Because, you know, your very own security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!

Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.

Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.

Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without rep

Re:Why would my cursor run as root?

[sloth+jr]

Who cares if YOUR data is owned, I'm just concerned that your machine isn't used to attack or spam MY machines.

sloth jr

Re:Why would my cursor run as root?

[earthbound+kid]

I agree completely. When I hear people say, "Oh, it's not a root exploit, so whatever," I find that argument totally unconvincing. Yes, it's nice to have the confidence that with OS X I won't end up like Windows where you have to go to the extreme lengths of reformatting a disk to try to clear the deeply dug in roots of some spyware crap from the system, but there's still the pretty damn big issue of all my data. Namely, having to reinstall OS X would be a pain, and I'm glad I don't have to waste an hour doing it, but losing all my data (documents, photos, music, and to a lesser extent application preferences) would be devastating. The data on my PowerBook is my life, and the reassurance that at least I don't have to reinstall OS X would be cold comfort at best. True, I do make a monthly backup onto an external drive that is normally unplugged (and thus out of range of rm *ing attacks), but probably most users don't follow this practice.

There is a solution to the problem, but it requires a deep rooted change in how things are done. What I propose is that we shift from permissions by user to permissions by application. Right now, any app that my user launches can erase any of my files. That's ridiculous! Much more logical would be allowing me to decide which subset of my files each app can user and how. So, for example, I would let FireFox write downloads to my desktop and its preferences and caches to subfolders of the Library, but I wouldn't want it to be able to erase any of my other files under any circumstances. In fact, most of the time I don't even want FireFox to be able to read my local files, but I'd be willing to put in a password to let it do on a time limited basis so during uploads and the like.

Basically, what I'm proposing amounts to sandboxing every app. This may seem harsh, but why not do it? What's the advantage of letting any app destroy any of my files? Make them at least beg me for permission first, I say!

So, that's what's on my wishlist for OS X.6. Linux dudes, you're encouraged to start hacking it out now and make OS history!

Re:Why would my cursor run as root?

[tshak]

It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.


While it would be nice if no flaws made it into Vista, some will. IE7 on Vista runs in protected mode by default. How I understand it, this means that this flaw will not execute using default IE7 settings. The user has to manually execute arbitrary code or disable protected mode in IE.

Re:Why would my cursor run as root?

[Locutus]

I understood that differently in that the flaw is in Vista but because IE 7 on Vista is defaulted in "protected mode" that application will restrict this flaw to damage on to the "protected mode" space. Ie, the sandboxed one application, IE 7, so damage caused by it is restricted to a virtual filesystem of little consequences.

Otherwise, I don't think the security people would have listed Vista in the list of systems susceptible. Given that, I also have to imagine that though this is a likely target for HTML based attacks, the flaw is in the standard mouse handling mechanism and therefore any other means of getting into the mouse handling system are also attack vectors and IE 7 on Vista isn't going to protect it. But you won't be hearing that from Microsoft about the most secure operating system ever built.

LoB

Re:Why would my cursor run as root?

[wirelessbuzzers]

What is worse to you: having all your data stolen/erased once or having all your passwords sniffed, everything you type spied for months and regularly sent to some bad guy and having all your personal data sent and then, at one point, deleted?

I haven't used Windows seriously for a while now, but I'm pretty sure you can keylog people without root. If nothing else, you can replace their Explorer or Firefox with a modified one that keylogs them, but I bet you can do better by loading the right DLLs into it. OK, fine, you might not get the login password, but even if this is different from your other passwords, the attacker still gets everything it protects. And if you bank online, he gets your bank routing number, account number and password. If you shop online, he gets your credit card number. If you file taxes online, he gets your income information, your banking data or credit card, and your SSN.

Furthermore, you can easily zombify a PC without root. You just have to make a daemon that runs as the user on login. Sure, it won't affect other users, but most home machines only have one user account on them. From there you can remote-control the machine, send spam, serve child porn (just not on port 80), proxy attacks against other machines, the works. You don't get to forge IP addresses or sniff packets, but that doesn't matter for most attacks, especially not on home networks.

The level of short-sightedness of your comment is quite sad. Oh, and my data are backup up daily to a server running in a VM and weekly burned on DVD. If deleting your user dir is "digital death" for you, you'd better learn 101 about backups and also, probably, invest in some RAID setup (you do realize that, if a trojan destroying your data would be "digital death" [sic] to you, a nasty hard disk could "digitally kill you" right?)

GP mentioned "apart from backups". But most people don't keep good backups either.

And anyway, on most systems, once you've got a remote non root exploit it is usually easy to combine it with a local root exploit... So it is true that I don't care very much about wether the exploit is root or not: I'd consider a Unix with a seamingly non-root exploit exploited to have been completely rooted and so do I for Windows machine.

Right. So if your local account gets hacked, and you somehow discover this, you still have to R&R because you can't be sure that they didn't get root.

Re:Why would my cursor run as root?

[secPM_MS]

A look at the vulnerability / bug reports for IE 7 vs Opera vs Firefox vs Safari can be interpreted by the reader to favor any given browser, depending upon the relative weights given to the various factors and the reader's desire to believe in any given browser. I do not believe that the data clearly demonstrates a clear and uncontested security superiority for either Firefox or Opera. The data does clearly show that IE 6, an older browser, is less secure than newer browsers. This is not surprising. Older versions of Firefox also have more vulnerabilities. By the way, I do like Opera. The data shows that no browser is absolutely safe. Using IE 7 in protected mode helps (Vista only). If you are going to browse in the most dangerous sites, I suggest that you take corresponding protective measures. The simplest would to be to run from within a VM. On a Free BSD system, it would be appropriate to jail your browser and you might want to use a Biba policy with the MAC labels to further confine potential damage. The Chroot jail is supported, to the best of my knowledge on Linux distros and if you are running from one of the Linux distros that support SeLinux, you can set the TE policy to confine it further. The security of an OS and application is dependent upon how much functionality is exposed to the attacker. OpenBSD tries very hard to minimize their attack surface and has done a good job of it. Despite their efforts, they recently had a remote vulnerability in the IP6 system. Users seem to like rich functionality, as seen in modern Windows releases, as well as Linux releases such as SUSE 10. When you expose more functionality, you get more vulnerabilities. This is particularily true in applications such as browsers, which handle a wide variety of untrusted and frequently actively hostile content. When you start putting up security barriers, users get irritated. Surprisingly, Microsoft was willing to irritate its users a bit to start driving the security bar higher. Applying security mechanisms such as MAC labels or TE policies tends to really interfere with casual system operation and baffle most users. Making the system unuseable is one way to secure, it as an unused system is not going to damage anyone. It is also not going to make a happy users. Hence the continual striving for an acceptable balance between ease of use, security, and functionality. MS releases products with what it believes to be a reasonable balance of these issues for general consumers. MS also recognizes that some customers are willing to sacrifice functionality and ease of use for security and reliability. Thus provisions are made to allow the appropriate policy controls (typically implemented through group policy) to make the system suitable for DOD / critical infrastructure use. I would expect that you could find the appropriate information on MSDN, if not in the configuration guidelines for DOD environments (roughly the old NSA HiSec template and configuration guidelines).

Re:Why would my cursor run as root?

[shutdown+-p+now]

If you are going to browse in the most dangerous sites, I suggest that you take corresponding protective measures. The simplest would to be to run from within a VM.

Interesting. So how I'm supposed to know, while surfing the 'Net, which sites are the "most dangerous"?

Re:Why would my cursor run as root?

[tshak]

Otherwise, I don't think the security people would have listed Vista in the list of systems susceptible.

Vista is listed because the flaw does in fact exist in Vista even though Vista does a better job mitigating flaws like this (e.g. IE7 protected mode). Theoretically I could stick this exploit in an EXE, put it on a USB drive, give it to someone to execute, and it would do almost (or as much) damage. The major attack surfaces, IE7 and Outlook 2007, mitigate this though.

Re:Why would my cursor run as root?

[Raenex]

So what was the point of your post? Microsoft took a huge step forward, but it still can't stop the average user from getting their browser owned? The same browser they do online banking with? You give lots of advice that is good for geeks who take a more-than-usual proactive security approach, but what about the vast majority (hundreds of millions) of users who do not?

I think what we should all take from this is that Microsoft cannot release a secure browser, despite tremendous pressure to do so. Microsoft should be embarrassed. It's 2007 and the same kinds of problems from 10 years ago are still occuring.

Re:Why would my cursor run as root?

[Jerf]

You can do this pretty easily in any OS that has a sudo command. Create the new account, alias the command to use sudo instead of running the command directly, and you're off to the races. You don't "need" OS support on Linux (and I assume BSD).

In Windows it shouldn't be that hard to run IE as another user, but I don't know about Windows, nor do I know if that buys you much real protection.

Re:Why would my cursor run as root?

[secPM_MS]

No single browser is truly secure. They are getting better, but so are the attacks. Reducing their functionality can increase their security. If you want to do banking as well as browse to dangerous locations from an XP or earlier system, I would recommend using 2 browsers. Until my children started using the computer, I was safe with IE alone, as I am a vigilant user and don't browse the more dangerous corners of the net. Since my children now ocassionally use the system as well, I have added Firefox. I use IE 7 on XP for my banking, trusted transactions, and interaction with will known sites (the security settings for the Internet zone are customized and quite high, with my bank in the trusted site zone). I have told my children to use Firefox for general browsing, (I have gone into the firefox configuration to disable active content, scripting, media, etc. AJAX does not run on my Firefox configuration). Note that on Vista a vigilant user can use protected mode and zones to get equivalent results. I have recently added a Vista computer as my children't primary computer. Vista has basic parental controls. The children run as limited users and use IE7 in protected mode on the Vista system. I do not need to run Opera / Firefox as a secondary browser in this configuration - indeed, doing so would break the parental controls, which are integrated into the IE filter engine. If general users want to be safe in e-mail, they should work in plain text only. I learned long before I came to MS to move to plain text. Doing so does a great job against image spam and it also breaks the html games that can be played against the user. My home XP system is an old Win 98 system that I upgraded to XP. Given the legacy HW that is attached to it, I will never upgrade it -- Vista drivers are not available. The system and software still does what I bought it to do.

Re:Why would my cursor run as root?

[Raenex]

No single browser is truly secure. They are getting better, but so are the attacks. It sounds like it's the same old problems. Why is it that one silly function dealing with a cursor has the ability to compromise the whole broswer? Are the security guys at Microsoft looking at capability based systems? I know of Singularity, but it seems that none of the basic principles are being spread to everyday applications.

Instead, what I see is people like you focused on how a sophisticated end user can do sandboxing themselves. Meanwhile, there are 100s of millions of users who this will never work for. The browser needs to be secure out of the box. A single line of insecure code out of millions should not compromise the whole browser. Browsers like Firefox are just as bad. You'd think Microsoft would want to innovate in this area, instead of being subjected to bad press.

By the way, as a style issue, using more paragraphs would make your message easier to read. Looking at the HTML source it seems you did have paragraphs. Preview! Also, you probably want to use Plain Old Text, and not HTML Formatted. This way two returns gets you a new paragraph. Otherwise you have to manually add <p> tags.

Re:Why would my cursor run as root?

[suv4x4]

Well, as another poster already said, it would be best if untrusted applications (like web browsers) were run as a different user from your main account. The only way it could access your data would be to require a password for privilege escalation. Unfortunately I don't know of any OS that does this.

Actually, Vista does that. An exploit running successfully in IE7 can just read/write some data in your temp folder and that's about it (this could also be potentially bad, but still much better than otherwise).

Ironically though they forgot to apply the same logic to some auxiliary applications, the browser can touch (such as the pointer...).

Re:Why would my cursor run as root?

[suv4x4]

Actually, Vista does that. An exploit running successfully in IE7 can just read/write some data in your temp folder and that's about it (this could also be potentially bad, but still much better than otherwise).

Ironically though they forgot to apply the same logic to some auxiliary applications, the browser can touch (such as the pointer...).

Wait, I take that back, from an article on the issue:

"Internet Explorer 7 in Protected Mode (available only in Windows Vista) mitigates this problem."

Hmm.. so Microsoft *did* it properly, after all. Great news for Vista users.

Re:Why would my cursor run as root?

[AaronLawrence]

The concept of "dangerous" websites is pretty useless, IMO.

A very large number of otherwise healthy websites present banner ads on their pages. Surely all that someone wanting to distribute malicious code has to do is buy a few dollars worth of advertising and include their exploit in that advertising. Presumably the recent JPG exploits could be easily distributed that way. Not so sure about this one, but the point is that all sites have to be viewed as suspicious because they are often made up of code and media from many different sources.

Yes, they would have to present a credit card to buy their advertising, but there is no shortage of stolen credit cards out there.

Surprise, Windows Listed as Most Secure OS

[ballmerfud]

Surprise, Windows Listed as Most Secure OS ... just don't move the mouse.

Re: Surprise, Windows Listed as Most Secure OS

[CoolVibe]

Surprise, Windows Listed as Most Secure OS ... just don't move the mouse. and pull the network plug out while you are at it. More security :)

Re: Surprise, Windows Listed as Most Secure OS

[rblancarte]

Yes, but that is a given with any computer (Linux, Mac or Windows). Hence the saying that the most secure computer is one that is off, not plugged into anything (including a keyboad, monitor or wall outlet) and locked in a vault.

IMHO, while the actual exploit might be new, haven't things like animated cursors always been among things you wanted to avoid due to the malware they come with? This just makes them worse.

RonB

Re: Surprise, Windows Listed as Most Secure OS

[morgan_greywolf]

and pull the network plug out while you are at it. More security :)

While you're at it, pull out the cable attached to the power supply....Windows Vista Ultimate Security! ;)

Re: Surprise, Windows Listed as Most Secure OS

[Sunrun]

"IMHO, while the actual exploit might be new, haven't things like animated cursors always been among things you wanted to avoid due to the malware they come with? This just makes them worse."

If I understand the vulnerability correctly, this applies not to cursor animation packs downloaded/installed by the user but to a websites' ability to replace the cursor with a custom one within specific browsers (i.e. the cursor is only different while hovering over the browser window that's displaying the page containing the custom cursor code).

Is this correct, or am I mistaken?

- 'Drew

Re: Surprise, Windows Listed as Most Secure OS

Surprise, Windows Listed as Most Secure OS ... just don't move the mouse.

and pull the network plug out while you are at it. More security :)

Make sure you're not using a wireless mouse!

Re: Surprise, Windows Listed as Most Secure OS

Nuke it from orbit. It's the only way to be sure.

Re: Surprise, Windows Listed as Most Secure OS

[nschubach]

While you're at it, pull out the cable attached to the power supply....Windows Vista Ultimate Security! ;)

I tried to do that, but Microsoft Vista Ultimate Security asked me if I really wanted to do it and I accidentally clicked no. Now I can't unplug it anymore.

This old?

[LinuxGeek]

With exploits as old as this one, it makes me wonder just how many high level hackers/crackers have used this in silence over the years. It could pay very well to keep ploits such as this one silent for as long as possible.

Re:This old?

[truthsearch]

This is a perfect example of how using Microsoft's official list of exploits is a mostly meaningless metric to determine how secure the OS really is. It gives no indication of security holes being secretly exploited for years.

Re:This old?

[rbochan]

A decade ago it was screensavers... you've come a long way baby...

Re:This old?

[LilGuy]

If it were true that this was exploited for years, why would it come out now? Has something even better been found and thus this one can be trashed?

Re:This old?

It could pay very well to keep ploits such as this one

WTF is a "ploit"? Is it really that hard to type those two extra letters?

Re:This old?

[AndroidCat]

A decade ago, it was Comet Cursor. A long way on a hamster wheel doesn't count. (Unless you're on the shuttle...)

Re:This old?

[Anonymous+Brave+Guy]

That's true, but it's true of any exploit list. After all, how would the list maintainers know if something were secretly being exploited for years?

Re:This old?

[Just+Some+Guy]

It could pay very well to keep ploits such as this one silent for as long as possible.

What makes you think they didn't?

Re:This old?

[alexhs]

Also this is not the first flaw affecting animated cursors. I remember having read about that a few years ago. Googling "animated cursor flaw" gets me to 2004-12-29.
So, their problems with animated cursors are really old, back to the NT 4 era.

Re:This old?

[truthsearch]

That's true. My point wasn't specific to Microsoft. I just used them because they're the subject of the post and such an easy target. ;)

Re:This old?

[LinuxGeek]

WTF is a "ploit"?

A ploit is what happens when you type exploit with a wireless keyboard at the edge of radio range. And then neglect to carefully proofread. Shit, I forgot this is /. and only English majors are allowed, sorry for damaging your retinas.

Re:This old?

[ergo98]

If it were true that this was exploited for years, why would it come out now?

Someone got too greedy? They targeted a rare individual that was more vigilant about their machine?

Re:This old?

[pallmall1]

Shit, I forgot this is /. and only English majors are allowed, sorry for damaging your retinas.

/.?
WTF is /. :)

Re:This old?

[LoudMusic]

This is a perfect example of how using Microsoft's official list of exploits is a mostly meaningless metric to determine how secure the OS really is. It gives no indication of security holes being secretly exploited for years. That goes for the UNIXes as well.

Re:This old?

[__aamnbm3774]

well you shouldnt be browsing the internet on your secure server anyway. linux+firefox isn't full-proof either.

Re:This old?

[argStyopa]

So Microsoft's list is merely "known knowns" and "known unknowns" while (for MS anyway) this would have fallen into the category of "unknonwn unknowns"?

Re:This old?

[LurkerXXX]

The official list of exploits for every other OS is also a meaningless metric in that case. Take OpenBSD for example. It's the most secure OS out there (except perhaps for OpenVMS). The OpenBSD folks audit their code, over and over, rewriting messy code that is hard to audit, just in case any nasty bugs are in there but too difficult to weed out. It's the best example you can cite for the open source motto of "many eyes looking over the code finds more bugs" because their eyes are some of the best trained to look for security holes.

It's pretty much a given that they are the most paranoid folks around when it comes to securing their OS (which is why I love it) yet there was a flaw in the memory handling of some IP6 code which left it exposed for years to anyone who might have known about the flaw, but kept it a secret to use themselves. No set of eyes is perfect for finding bugs in software. Every OS you care to mention probably has multiple holes that have been in it for years that might be secretly exploited. So by your reasoning, that standard metric is meaningless for all OS's.

Re:This old?

[fuzz6y]

Because one of the "good guys" finally found it and reported it. The "bad guys" weren't ever going to squeal.

Re:This old?

[Locutus]

that sounds about right but you must admit, Microsoft was just in this code about 15 months ago because an invalid parameter(where's the unit testing?) caused an exploit but they missed this current flaw in the same area. After hearing about the WMF flaw, how they screwed that one up, and moved that flaw/code into all versions of Windows, it's hard believe Microsoft doesn't just suck at software security. Like the Open BSD folks, they should be refactoring up the wazoo to work at actually making the product more secure and especially since perceived security of GNU/Linux is a major factor in migrations and use of OSS.

Oh, and what is the wealth of the OpenBSD folks compared to Microsoft? OpenBSD seems to have the manpower and time to do what's needed to actually make the product more secure but somehow Microsoft doesn't. I guess it goes to show that maybe Microsoft is just way too much of a marketing company and far less of a technology company when stuff like this keeps happening over and over, year after year.

LoB

Re:This old?

yes its old. in factjust to level the playing field a 7 yr old exploit was just recently used to hack root on security enhanced linux too.

now with literally 10000 exploits and not much of a lab i can't get round to all of these and perhaps its good to try old stuff on new things once in a while eh?

Re:This old?

It could pay very well to keep ploits such as this one silent for as long as possible. If you're trying to be a l33tard, at least learn that it's "sploits", not "ploits".

Re:This old?

[Tyberius]

Shit, I forgot this is /. and only English majors are allowed, sorry for damaging your retinas.

/.?
WTF is /. :) That would depend on what the definition of is is.

oldie but goodie

I remember reading about this on full disclosure almost 2 years ago.

Re:oldie but goodie

[tijmentiming]

source?

Re:oldie but goodie

[Dan+Stephans+II]

http://www.microsoft.com/technet/security/bulletin /MS05-002.mspx It's a new vector on an old problem as the parent said, it's been around a while.

Re:oldie but goodie

[Locutus]

I think the last one( Dec 04/Jan 05 ) was due to a function parameter of "0" causing a crash which could/was exploited. This current flaw is still in the mouse code but somehow related to how the animated mouse data is loaded.

I don't recall exactly what this current exploit does so if someone knows, please chime in. IIRC, they are related in the fact that it is the mouse handler( ya know that's gotta be a huge codebase ;) but in different parts of the code.

LoB

Oblig.

[zlogic]

In Soviet Russia, cursors pwn you!

goddam hackers

It's becoming real sad to have to think about every abuse in any single program...
I mean, why the hell should you care about how crash your application if you feed it by parameter that should not even happen in a goddam icon animation program !
It's like asking people to live in bunkers in the real world.....
Something really needs to be done about those people. They really have a too good time abusing people when they can be catched because they live in another country its too easy

catchpa:disarm...

Re:goddam hackers

[jellomizer]

I guess you are not a student of Computer Science.
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.

The concept is simple actual practice is hard.

A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.

Re:goddam hackers

Yeah yeah check everything possible, like in an airport right...(see how useful and tiresome it is, same with programs)
Guess you are STILL a Computer Scientist student.
If you are doing something that has no impact on security (this is image processing dammit) the value of your software is in what it does, not in how it resists to every possible abuse.
So yeah it is nice to let the user know why it crashes, but it should NOT be the 'priority'.
It is now sad it has become so because of the impunity the people abusing your program for malware have.
Sometimes because of that, the program to check the data is a hell lot heavier than the useful function itself....sad sad sad...

'A lot of the times these hacks are not found because they were looking for a way to hack the system '
actually yes they were, using programs to feed with bogus data everything in sight and see how it reacts.

funny catchpa:overflow...

Re:goddam hackers

[oztiks]

Hackers, shmakers, try not pointing the finger at an easy (and less harmful) target created from propaganda media or a misguided opinionated blog writer.

Name one hacker that has caused _any_ serious ecnomical problems on the internet so far? And if it was, it was usually done incidentally, not as the focus of the excersise.

Its organised crime sydnicates that instigate ddos attacks on corporations. So consider, would you perfer some comp sci geek, teenage kid in their moms basement discovering such holes and then reporting them to bug traq? Or would you like hired professionals who are given big wads of cash under the table to create malicious applications and provide them to people who wish to insinuate the illegal and malicious use of the code on persons/organisations?

These days companys need to protect themselfs from being held at ransom by such people, not the kids, the kids have and always just been having fun being smarter then everyone else.

Re:goddam hackers

[jellomizer]

That is why I said the concept is simple in practice it is hard. The point is these flaws are due to bad programming. In real world we do bad programming Global Varables, GOTOs, Linear searches on ordered lists, but when we get the problem we need to admit it is bad programming not say well its those nasty hackers fault for making my app do what I didn't want it do do. Image Processing use to be safe, but now with more and more options it is becoming a dangerious thing.

Re:goddam hackers

[Just+Some+Guy]

Guess you are STILL a Computer Scientist student. If you are doing something that has no impact on security (this is image processing dammit) the value of your software is in what it does, not in how it resists to every possible abuse.

I was going to try to be calm and rational about this, but screw it.

It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).

You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.

Seriously. Quit before you break something.

Re:goddam hackers

[Qzukk]

that has no impact on security (this is image processing dammit)

Sure looks like it had an impact on security to me. Maybe the problem is with students who think that the things they write have no impact on security at all.

Re:goddam hackers

[SpooForBrains]

Over here from thedailywtf (or whatever it's calling itself now) are you?

That captcha stuff is lame there and, guess what, it's lame here too.

Re:goddam hackers

[david_g17]

You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).

~David_g17 sharpens his spork...~

Re:goddam hackers

[azrider]

Name one hacker that has caused _any_ serious ecnomical problems on the internet so far?

Robert T. Morse Jr. ???

Re:goddam hackers

Well I think this is more a matter of something like, "Okay, I have this offset in my input buffer. Should I follow that pointer? Do I know where it came from?" etc.

A program can have all the global variables, gotos, and linear searches it wants. If it correctly handles a situation like the above, it is no flight risk.

Re:goddam hackers

[shadowrat]

'it should not ever lead to anything else than that:a crash of MY program.'

I'm sure that's what the developers of the annimated cursors were thinking too.

I used to have the same mindset. It's easy to be complacent. It's easy to assume if someone enters bad data and your program crashes that anything happening after that point is the fault of the underlying system.

However, we have tools to prevent the crash. Provided you are developing in some higher level language, all you have to do is catch an exception and shut down the app. The UX people can bitch at me about the bad experience and whatnot, and I can argue with them about what kind of idiot it takes to cause the program to exit in that way, but at least it's safe.

Re:goddam hackers

[An+ominous+Cow+art]

That's 'Morris', not 'Morse'.

Re:goddam hackers

' Provided you are developing in some higher level language'
I am, and still in java, there are many ways to crash the jvm leading to unexpected result.
I had a program that could crash a version of it nearly always with a simple drag and drop. I could not see why, I rewrote it differently (because I thought of a better gui) and it never crashed again.
(and before that security backstabber came back again, no it was not because the clipboard held bad data....)

The fact that the os is compromised because of the graphic tool IS the problem....
not the fact that the graphic tool crash because it is fed by bad data....
because even with correct datas that does not mean the program will not crash in the same usueful way for the malevolent hackers...

Re:goddam hackers

[spedrosa]

The ignorance is strong with this one.

Re:goddam hackers

From us old folks in the industry, always check all of your input. Someone will attempt to use your code in a way it isn't supposed to be used. This isn't an exception, it happens all the time.

Debugging an error that manages to cascade through several functions progressively mangling the data more and more because none of them recognize it as bad until finally one piece chokes on it hard enough to crash is not fun. Even if you get a stack trace and a core dump, the trace and dump are likely to be mangled beyond usefulness.

If they all checked their inputs, it'd die right after the data became invalid. It takes seconds to debug instead of hours or so long that you say that it isn't worth it because it doesn't crash often.

If all of the checks kill performance, wrap the worst performing ones in ifdefs. Leave them in for developers and take them out on the final QA/release builds.

Re:goddam hackers

It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems.

Guess what? If you want to live in a world where the PDP-11 is still a state-of-the-art machine, then by all means, shoot the codemonkeys.

You can either run NASA deep-space-qualified code on your PC, or you can have 99% of the useful but insecure applications and features that you have. Pick one. Nobody can be productive when they're trying to "anticipate how every line of code can be attacked." Not you, not me, not anyone.

Re:goddam hackers

But don't you know? Writing secure software is hard. I don't like working hard. Not even Microsoft can do it, so why should I even try?

Re:goddam hackers

You are my hero! Are you teaching computer science btw? If so, I would like to apply for a course.

(I am not kidding!)

Re:goddam hackers

[Just+Some+Guy]

That's kind of you to say, but no, I'm nose-to-the-grindstone in the workforce.

The Solution is Amazing

[neoform]

>Solution: Do not browse untrusted sites or view untrusted e-mails.

Nice, so basically I'm not supposed to read any emails from people I don't know. Sounds like a viable solution.

Re:The Solution is Amazing

Or emails from people you DO know. They could have been haxx0red!

Basically, what they are saying is that you should install Debian.

Re:The Solution is Amazing

[penp]

If you read the link to Microsoft's advisory about the exploit, it sounds like you're not even supposed to trust email from people you do know.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources. On top of that, if you read further it starts to sound like a scheme they're using to try to sell more copies of Windows Vista.

Mitigating Factors for Animated Cursor Vulnerability

Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.

By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.
Who needs animated cursors, anyway?

Re:The Solution is Amazing

[ksalter]

Of course you can get IE 7 on XP too, so there is no incentive to purchase Vista.

Re:The Solution is Amazing

[Yvan256]

And since you can fake web adresses (at least for Internet Explorer) and fake email adresses (nobody is immune), you can't do anything at all.

The real solution is to disconnect your computer from teh intarweb.

Re:The Solution is Amazing

[ksalter]

Of course, I could read a little better and realize that IE 7 on XP does NOT run in protected mode, so I retract my previous statement. Doh!

Re:The Solution is Amazing

[ehaggis]

Don't use a cursor, just guess where your mouse is pointing.

Re:The Solution is Amazing

[pionzypher]

Tried that, girlfriend slapped me and I'm still sleeping on the couch.

DOH!

NO WONDER I got viruses on my personal computer by just visiting web sites, and without running any Java Applets or anything that would normally execute any code on my end. Those b**tards were running an animated cursor algorithm?? How in the heck would Microsoft allow the execution of code for that?? Microsoft needs to learn that it is NOT okay to execute code from the Internet without the user's permission, How much longer will it be before they realize this??

Re:DOH!

Yes. I'm certain the problem is that they don't "realize" they shouldn't allow arbitrary code execution. If they realized this was bad, they would automatically produce completely flawless software that has no security vulnerabilities.

Up until this point, they have been including these security holes on purpose, because we all know how trivially easy it is to produce software that is bug-free. I'm going to send them a letter, to let them know that they should stop allowing the execution of arbitrary code. That will fix this once and for good.

Thank you, fellow AC. You are fucking brilliant.

Re:DOH!

You are a complete idiot "other anonymous poster"! It doesn't take rocket science to write a web browser that won't execute code external to itself! It's no MISTAKE that it allows such activity! Programmers have to purposely code it to do that!! I have NEVER gotten a virus while using Firefox...hmmmm does that make Firebox flawless?? NO, it has memory leaks. But at least my system can't get infected while using it.

As far as the operating system itself, how in the hell can Microsoft allow user programs to modify system files (theirby infecting the system). A secure operating system would be one that disallows changes/modifications/additions to system folders and registry unless the user is prompted. Let's say you're installing MS Office...A nice little prompt comes up and says that something is f**king with the system...I click YES and let it continue! Now, let's say I run a Java applet or I download and run an EXE and I get the prompt...I say NO!! What's so hard about that??

Re:DOH!

Microsoft needs to learn that it is NOT okay to execute code from the Internet without the user's permission

"Animated cursor 'hourglass busy cursor' wants to move one dot of sand down. Cancel or Allow?"
"Animated cursor 'hourglass busy cursor' wants to move one dot of sand down. Cancel or Allow?"
"Animated cursor 'hourglass busy cursor' wants to move one dot of sand down. Cancel or Allow?" ...

Re:DOH!

[Bungie]

secure operating system would be one that disallows changes/modifications/additions to system folders and registry unless the user is prompted.

Welcome to Windows Vista my friend.

Vista Security.

[jellomizer]

I though Vista was supposed to be the most secure OS ever. But animated mouse icons? I wonder what part of protected memory microsoft doesn't understand. It is probable due to some speedup fix so it can beat the benchmark tests. Normal use we don't see a problem but sacrifice security so it can beat the benchmark tests so it can say it is faster.

Re:Vista Security.

[cnettel]

Let me ask a counter-question: What part of a user-mode exploit don't you understand? What I want to know is to what degree the reduced privileges of IE in Vista (confusingly also called "protected mode") makes direct exploitation of this harder.

Re:Vista Security.

[cnettel]

Ok, replying to self. The MS advisory seems to claim that IE protected mode means that it can't exploited (just crashing IE). I would doubt that this is totally true, but it's clear that exploiting it to get general access to the user's account would need some extra work.

Re:Vista Security.

[jellomizer]

Protected memory should prevent memory from each object from interfearing with each other. Not by user. User Mode security is just as bad as system level. Except it just doesn't have full access. But the bulk of your important information is accessable via your user account. The mouse images and animation should be in its own seporate memory block that can only be accessed via controled input calls. When the input is given it then should be checked to insure the format is sane. Finally this control should only talk back giving x and y locations and the pressure of what button and what direction the scroll button is moving. But all this information should be sent back via calls back and forth not from raw memory access. and windows shouldn't have allowed such a low level access to the mouse icon.

Re:Vista Security.

[cnettel]

Ok, but then you don't only ask for protected memory, but a microkernel and lots of server processes. Changing page tables on the fly to do this, while keeping the number of processes low, is completely unthinkable on current architectures. As we have no actual production OS even close to the granularity you're requesting here, the question is not what part of protected memory MS doesn't understand. In this case, they understand, and use it, in pretty much the same way as "everyone" else. (If it had actually happened down in win32k.sys, the story would have been different.)

Re:Vista Security.

[rajafarian]

I though Vista was supposed to be the most secure OS ever.

Nope. I watched their lips and every time they said, "Vista will be the most secure Microsoft operating system ever."

I think this was carefully worded by them so they could say it with an honest face.

Re:Vista Security.

[honkycat]

I'm not sure about even that -- how many remote exploits did MS-DOS 2.0 have?

Re:Vista Security.

You don't need protected memory to prevent arbitrary code execution. It's called Java, or CLR, or dis (with trusted compiler), or any number or other safe languages. Not writing in these languages is completely unthinkable on the current internet.

Re:Vista Security.

It does what protected mode IE always does, ie. runs with a restricted security token that doesn't allow write access to arbitrary disk or registry locations, doesn't allow sending window messages to arbitrary windows, and strips out various privileges that might allow some control over your computer. This applies to protected mode IE and any processes that it spawns. File downloads are handled by a helper process, ieuser.exe, that asks confirmation before permitting the download to be saved to arbitrary locations on the filesystem that the user has write access to.

Re:Vista Security.

[SL+Baur]

When you can

main()
{
          char *p=0;

          for (;;) *p++=0;
}

who needs exploits?

MS-DOS 2.0 had plenty of bugs, but given the hardware it had to run on, I can't count that as one of them.

Re:Vista Security.

[Thundersnatch]

I'm not sure about even that -- how many remote exploits did MS-DOS 2.0 have?

Assuming you installed one of the contemporary networking stacks (IPX or NetBEUI or whatever was available), your typical networked DOS machine probably had shitloads of remote exploits. Nobody programming for PCs really thought much about security back then; I imagine the networking code was riddled with buffer overflows.

Also, one could count floppy-borne boot sector viruses as remote exploits. Which they are, in the sense that the attack comes in via "sneakernet" with no user interaction required other than the "normal" action of inserting a disk. In my opinion, this is no different than a "remote" exploit that requires a user to visit a web page or open an email message.

Re:Vista Security.

[init100]

What part of a user-mode exploit don't you understand?

It is possible that they could use a subsequent privilege escalation vulnerability to elevate their privileges to administrator level. Sure, it requires that such a hole exists, but I would be surprised if none exists.

Re:Vista Security.

[Xtravar]

That's my favorite piece of code. I made it a library function.

Re:Vista Security.

[cswiger]

Wow! I wasn't aware that Microsoft doesn't implement page zero as being unwritable under Windows.

On any system with a working protected memory/VM, you'd get a segv or bus error...I wonder how many bugs Windows programmers would catch if trying to dereference a NULL pointer (either for reading or for writing) actually generated an exception or error condition...? :-)

Re:Vista Security.

[ ] You read the parent post. [ ] You do know the difference between MS-DOS and Windows [X] You are a complete and utter idiot.

Only affects rendering using the IE engine...

[bubbl07]

From a McAfee Avert Labs blog article:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

Moral of the story: don't use the IE rendering engine for cursors by avoiding using the IE web browser and by not using untrusted animated cursors in Windows.

Re:Only affects rendering using the IE engine...

Moral of the story: don't use . . . Windows.

T,FTFY.

Re:Only affects rendering using the IE engine...

[bubbl07]

My apologies, article here.

Re:Only affects rendering using the IE engine...

[netsharc]

Isn't it great how Microsoft's suggested workarounds only say "View E-Mail in plain-text, don't visit untrusted sites" (even though they claim beforehand an attacker might also try to hijack trusted sites to deliver the exploit).

Guess they can't write the obvious, "Use an alternative browser and/or email client.". Hah, what a Dubya-ian world they're living in.

So I'm assuming the way to exploit it is with CSS's cursor property:
cursor: url('some-bad-file.ani');
I'm guessing Firefox has its own animated cursor rendering engine? Are they even allowed in CSS...

Ah, the irony of something that is unnecessary other than making the GUI look pretty being responsible for endangering the system...

Re:Only affects rendering using the IE engine...

That word you keep using... THATS NOT WHAT IRONY FUCKING MEANS!

I'll use caps all I want slashcode!

Re:Only affects rendering using the IE engine...

[lostboy2]

US CERT also recommend configuring Windows Explorer to use Windows Classic Folders:

When Windows Explorer is configured to use the "Show common tasks in folders" option, HTML within a file may be processed when that file is selected. If the "Show common tasks in folders" is enabled, selecting a specially crafted HTML document in Windows Explorer may trigger this vulnerability. Note that the "Show common tasks in folders" is enabled by default. To mitigate this attack vector, enable the "Use Windows classic folders" option.

Of course, the "Show common tasks in folders" option could only be exploited if someone downloaded the bad HTML files to a directory where users could select it through Windows Explorer. Still, I imagine that a disgruntled employee could wreak havoc this way.

Re:Only affects rendering using the IE engine...

[Locutus]

yup, I wish the press would pick up on this and mention that Firefox and Thunderbird protect from this and then give the to the free download pages. I've notified a few friends of this and their responses have been 'got Firefox and don't use Outlook so no worries here' type of responses. I've not heard from any of those I've moved to Linux so either they've finally accepted that they are protected from all the Windows security flaws or they've not heard anything about this yet.

If anybody knows any email addresses of your local news or newspaper, maybe letting them know that Firefox and Thunderbird are safe from this, they run on Windows, and are free. Let's take the marketing opening where we can get em. :-)

LoB

Why does it get to be this bad?

[140Mandak262Jamuna]

Well, one can understand programmers making stupid mistakes, and creating vulnerabilities. And everytime you add features, whether it is important or just bells and whistles, you always run the risk of opening up another vulnerabilities. Granting all that, why is it that, in 2007, after Vista, with "Security is Job 1 in MSFT", why does a vulnerability in a browser goes all the way up to executing arbitrary code? Browsers are expected to get data from untrustable sites, they should have heavy armour protection. Why the users are putting up with this nonsense?

Some stupid consumer protection council reports that some part of some toy can come apart and present a choking hazard to children. "As many as 3 children could have died over the last 10 years because of this!" Suddenly all news organizations act as though the sky has fallen, and on slow news day, it is even the lead story! Here we have a hazard that could get your machine rooted and pwned and steal your password and sell it in the organized crime networks, ... and the world reacts with a collective shrug.

Sorry, for the rant, I know I am preaching to the choir, just need to get it off my chest.

Re:Why does it get to be this bad?

[DoofusOfDeath]

No doubt you aren't a programmer, and wouldn't really grasp how complex a piece of software like a web browser really is,

Even if you're a programmer, you're still out of your league on this one. Only a plumber could understand the series of tubes that make up the Internet.

Re:Why does it get to be this bad?

[tijmentiming]

You missed the point. He only says it's weird that people shrug when software is insecure. It's a not a rant to microsoft, but to people who shrug.

Re:Why does it get to be this bad?

[140Mandak262Jamuna]

Yes, Sir, I read the article.

Successful exploitation allows execution of arbitrary code. NOTE: The vulnerability is currently being actively exploited.

That is why the rant. Crash on imperfect input? I will accept that.

Re:Why does it get to be this bad?

Because speaking as a parent, I'm much, much more terrified about my child dying than I am about Vista crashing.

Sounds like someone needs to get their priorities in order.

Re:Why does it get to be this bad?

When you can show a child dying from a intrusion vulnerability in consumer grade software, then you'd have a point. Until that happens, we should expect the public reactions be different.

Another way to look at the difference: the newspapers are practiced in making scary headlines for topics like toy accidents and are unpracticed for topics like IT.

Re:Why does it get to be this bad?

[140Mandak262Jamuna]

It used to be, browsers were used mainly to access information on the 'net and the most damage that will happen to you would be your computer might crash or net wont be available. It is not such low impact scenario anymore. Bank accounts and brokerage accounts are being accessed and controlled by the browsers by millions of people every day. The real serious hackers who know enough to take advantage of these exploits are not your typical script kiddie out to have some fun or make a name of himself. They are quite risk averse and they dont directly steal your money. They harvest passwords for these bank accounts and sell them in the underground.

The guys who buy these passwords have lots of connections with terrorism, drug trafficking, prostitution rings and many other nefarious activities. Password harvesting algorithms running wild can do more damage to you than the choking hazard from a toy part. Really.

Re:Why does it get to be this bad?

[porkThreeWays]

Well, I think the idea was that the world has its priorities skewed. Statistically your child would have an insignificant risk if millions of children were playing with this toy. You should be more worried about your children getting common childhood disease that could kill them. Likewise, getting your personal information stolen can make your life hell. Would you be more worried about your child having a .00001% chance of choking on a toy, or a 5% chance of having your ATM card stolen? If you said the former, then you need a reality check.

10 people can die due to a serial killer over the period of two years while at the same time millions of people die due to heart disease. Which one will the media cover? It's human nature to be scared of dying due to an external force you have no control over (such as a serial killer). However, humans have completely irrational emotions and will try to justify to themselves why a completely irrational fear is rational.

Re:Why does it get to be this bad?

[Joe+The+Dragon]

M$ likes to reuse old code like how that old printer system form windows 3.1 was used by hackers in xp, 2000, and vista beta.

Re:Why does it get to be this bad?

[Locutus]

Ah, least you forget that Microsofts security claims have a long long history of failure:

"Microsoft is dedicated to keeping our customers' networks secure, and Windows 2000 is the most secure operating system we have ever shipped," said Keith White, director of Windows marketing at Microsoft.

http://www.microsoft.com/Presspass/press/2000/jan0 0/cybersafepr.mspx

mentioned in the Windows 2000 wikipedia entry too:

http://en.wikipedia.org/wiki/Windows_2000

So they've sucked at this for many many years while claiming otherwise.

LoB

Re:Why does it get to be this bad?

[Twillerror]

Funny aside, as a programmer I do understand how complicated the browser is as a whole, but it is composed of much simpler parts. And in fact utilizes many OS level functions...which is what caused this..not really the browser. If I was coding it I would have assumed I could safely load a mouse cursor.

That is the point of this time in computing history. We can't assume even these simple little things anymore. We all fall pray. I bet most of us have created security holes, but not in a major OS where millions would want to exploit it. After all Windows is written by guys and gals who likely love computers as much as this whole site. Bill and the rest of the jerks up in managment are not writing the security holes. That said I think MS has to be made accountable because they are willing to market security. Macs do too, and they can have holes as well.

Firefox is not effected by this because they must not support .ani files, or they have their own parser and tool to display those cursors...my guess would be they don't support them. That is different then not being susceptable...it just doesn't apply. Sorry for not having the time to research if Firefox implements CSS cursors...hell I didn't even think about IE supporting them.

The issue here is that Windows didn't check a file format. After the image file fiasco you think they would have gone through every single file type they support and look at the base code that opens up the file. Maybe they did...maybe this exploit isn't as easy to envision as we'd all like to think. It might be super easy to use it, but it might have taken several security engineers hours and hours to have imagined in the first place. If it is as bone headed as just making the header longer then it should be, then MS needs to get some better code scanners.

Better yet we need to be things like this with some type of protection. If the code was Java this wouldn't have happened. Am I saying to use Java, of course not, but I think we have enough wasted cycles to do some more out of bounds checking in the compiled code.

What kind of mouthbreather would even...

[straponego]

...install an animated cursor in the first place? Okay, besides the CEO.

Re:What kind of mouthbreather would even...

[Torodung]

Actually, it's pretty useful for the "wait" cursors, because you can tell if the system has crashed or is stuttering badly. I use it for both the "Working in background" and "Busy" signs. If the hourglass stops moving, and sometimes it does, even if mouse control still works, you know you're waiting for nothing. It was more useful with Windows 95 and 98, but I still use it in XP.

(Actually, I use a set of modified Mac OS 8 icons, including black arrows and the classic "watch" icon, but I use hourglasses here because that's usually what folks use in Windows. There used to be an icon scheme called "animated hourglasses.")

--
Toro (breathing through my mouth)

Re:What kind of mouthbreather would even...

[boristdog]

My thoughts exactly. Animated cursors are for secretaries and housewives. And those people will always fill their computer so full of spyware anyway, so no single exploit will matter.

Re:What kind of mouthbreather would even...

[Rob+T+Firefly]

I'll own up and admit to having used exclusively animated cursors in the past... but then again, I was a mouthbreathing teenager in the mid 1990s with my first Pentium. I also had Star Trek WAVs hooked to all my Windows events, ran After Dark's screensaver app at all times, used any excuse to look things up Compton's Interactive Encyclopedia CD-ROM, and obsessively hoarded Voyager publicity photos from Compuserve. A few blinky wiggly pointers shaped like phasers and lightsabers were the least of my crimes against good taste, but frankly, I would have totally deserved getting owned as a result.

Re:What kind of mouthbreather would even...

[gEvil+(beta)]

...install an animated cursor in the first place? Okay, besides the CEO.

My cursor is a big punching glove. It makes hitting that damn monkey that much easier...

Re:What kind of mouthbreather would even...

[illegalcortex]

What kind of mouthbreather would even install an animated cursor in the first place?

I'm not sure that's really the problem. Wouldn't either of those articles have listed it as a workaround if so? I think this is the actual problem:

With Microsoft Internet Explorer 6 or 7 you can use your own animated or static cursor on your webpage instead of the standard system cursor. All you have to do is add a little code to your HTML-documents or the CSS-stylesheet and upload the cursor file (*.ani or *.cur) to the webserver.

http://www.anicursor.com/webcursor.html

I don't know that there is any way to turn that off in IE or Outlook using IE's rendering.

What's to investigate?

[roman_mir]

Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. - <sarcasm>well, we all know not to open specially crafted e-mail messages and attachments.</sarcasm>

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. - I can give an advice even without an expensive investigation. Do not use MS IE, do not use MS Outlook, do not allow animated anything on your desktop and probably the best thing to do is to finally just plain not to use MS, but in many cases it is not an option.

Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed. Turn off all animations, turn off 'show content while dragging window' option, switch to 'classic' look for the look of the Explorer, make sure that there are no thumbnails, switch to 'details' in the Explorer, make sure to show extensions on all files, make sure to apply to all folders and turn of 'Remember each folder settings' option.

I am not certain that this will prevent this particular problem, but not using IE and Outlook most likely would (while using other email clients do not allow active content to execute and do not trust attachments ever.) It's a real pain, it would be much better to run MS Windows in a virtual machine on GNU/Linux (VMWare I suppose.)

Re:What's to investigate?

[stratjakt]

Who cares about the performance hit? People have quad core 3 gigahertz processors, and you're worried about an animated mouse.

We aren't all runnign linux on 486's we found in a dumpster.

Re:What's to investigate?

[rbochan]

...Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed...

That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X.
You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.

Re:What's to investigate?

turn off 'show content while dragging window' option

Why? With any modern video card, the blit is handled entirely by the card -- the CPU doesn't have to do much beyond saying "copy this rectangle to these coordinates". In comparison, the rectangular outline of the window that you get when this option is disabled must be drawn by the CPU. You are probably decreasing your system's performance by turning this option off.

Of course, in these days of 3GHz machines, we're talking about an infinitesimal fraction of a second anyway. Who gives a crap? If this option actually makes a noticeable difference on whatever god-awful hardware you're running on, I'd say it's probably time to upgrade.

Re:What's to investigate?

[illegalcortex]

do not allow animated anything on your desktop

I'm not sure that's really the solution. Wouldn't either of those articles have listed it as a workaround if so? I think this is the actual problem:

With Microsoft Internet Explorer 6 or 7 you can use your own animated or static cursor on your webpage instead of the standard system cursor. All you have to do is add a little code to your HTML-documents or the CSS-stylesheet and upload the cursor file (*.ani or *.cur) to the webserver.

http://www.anicursor.com/webcursor.htm l

I don't know that there is any way to turn that off in IE or Outlook using IE's rendering.

Re:What's to investigate?

That's the second "OMGPONIES!!!!!!" reference I've seen today. With April 1st only two days away, I think we know what's going to happen, again.

Re:What's to investigate?

[Trailer+Trash]

Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed

We're two days away from April 1st, let us enjoy these days while we can...

Re:What's to investigate?

[Vexorian]

Huh? I have animated cursors for "wait and reading data" it prevents me from thinking the system is just busy when the system has frozen... And animated wait cursors weren't a performance hit back in the windows 95 days and they certainly aren't so today.

Re:What's to investigate?

"The 'average joe' thinks his computer is appliance, like a toaster, because Steve Jobs tells him it is."

Fix'd...

Displaced Hot Spot

[G4from128k]

It would seem that any remotely defined cursor could be used maliciously by displacing the hotpoint relative to the cursor graphic and encouraging the user to click on something "safe" when the real hot spot for the click is elsewhere over something untrustworthy.

Re:Displaced Hot Spot

Good thinking, but there might be size restrictions to this, especially if we're talking hardware mouse pointers (which we might not be).

Criminals using this vulnerability ?

[Rastignac]

Our security expert, Jackson M., just tolds us:
" So, ANI are you ok ? Are you ok ANI ?
    You've been hit by... you've been hit by... a smooth criminal ! "

A workaround for this...

A workaround for this is to install some quality cursors.
I use the comet cursor package that installed itself automatically when I browsed the web.
It has some great cursors and loads of other features that make using Windows far more entertaining.

I have not been able to remove or alter the comet cursor package since it installed itself, so I think it will protect very well against other cursors getting installed on my computer.

Oh So Happy It's Thurday...

[wowbagger]

This was announced on The Register yesterday, making it yet another
Oh
So
Happy
It's
Thursday
moment again.

It's all relative

[Headcase88]

What the fuck is WTF? Is it really that hard to type those two extra words?

Re:It's all relative

And HTF has been given mod points these days ?
Offtopic == moronic

Re:It's all relative

'WTF' is ok by me; it's a legitimate abbtrviation. I take issue with the moronic poster's inability to put the 'ex' in front of 'ploits'.

I can hear Ballmer screaming...

[xactuary]

Cursors? Foiled again!

Re:I can hear Ballmer screaming...

[erroneus]

Damn you! I have been waiting YEARS to do that one!!

Damn you! Damn you all to hell!!

Re:I can hear Ballmer screaming...

[xactuary]

Thanks folks. Be sure to tip your waitress. I'll be here all week. ;^)

what about a vulnerability in Clippy?

I mean, common', dark-side hackers, bring us a Clippy vulnerability while Clippy still exist!

Re:what about a vulnerability in Clippy?

[sqlrob]

There's already been one for Clippy, or at least the underlying technology. They were scriptable and could execute arbitrary code.

Not today

[hansoloaf]

Wait till Sunday for April Fool's.

Actually

[gcnaddict]

Unfortunately, since cursors pwn you in the US, the statement must be revised (rather ironically) to:

In Soviet Russia, you pwn cursors!

See, since that doesn't exactly work with the other Soviet Russia jokes, there's no reason to post it here. You pwn cursors and cursors pwn you in the US. Now, if we replaced cursors with mice and you with your food, then we have a more appropriate USSR joke.

FIrefox?

[leuk_he]

Is Firefox vulnerable? Or does FF not support animated cursors? Or did it required click to download/view some file in the first place?

Re:FIrefox?

[illegalcortex]

RTFAs. That's why they're there.

Re:FIrefox?

[iluvcapra]

"Hello, Dave Shutton, Springfield Shopper. Who are you, and what are you doing here?"

Re:FIrefox?

[illegalcortex]

You forgot "Where are you going?" Amateur!

Windows Vulnerability in Antimater Containment

[jimstapleton]

I read "Windows Vulnerability in Antimatter Containment Field" when I first saw that... I must be too tired. Regardless, that's more interesting than the actual article, so maybe being to tired isn't a bad thing.

Solution: "You are trying to move the mouse..."

[Cancel] or [Allow]?

Re:Solution: "You are trying to move the mouse..."

You are trying to use the keyboard.

[Cancel] or [Allow]?

Re:Solution: "You are trying to move the mouse..."

Keyboard not found. Press F11 to continue.

Re:Solution: "You are trying to move the mouse..."

[SharpFang]

This morning's fav:

"Are you sure you want to cancel the operation?"
[OK] [Cancel]

Re:Solution: "You are trying to move the mouse..."

I'm so confused...

In other news...

[AndroidCat]

Comet Cursor 2007 soon to be released!

Stop the animated scrolling up and down

[BanjoBob]

thursdays update killed my system. every window scrolls up and down at 1000 mph. you can't click anything at all. so who cares about an animated cursor -- i need to stop the animated window. oh, i'd like to get my shift keys working again too. they are now backup to previous window keys. thanks microsoft

Caution

[Alioth]

If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:

http://www.secureworks.com/research/threats/gozi/ ...which has a similar infection vector (by merely visiting a web page you get infected), and went undetected for 54 days.

This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.

Re:Caution

[illegalcortex]

Near as I can tell, this doesn't take you downloading an animated cursor. There's IE-specific CSS code that allows you to replace the cursor in IE. You can't turn it off. If only MS had added that as an option, we'd at least have a workaround.

Clippy's Fault

Who else immediately thought this was somehow due to clippy?

Clippy: I see someone just took over your system. Would you like help in panicking?

MOD PARENT UP: +1 Funny

Subj sez it all

This doesn't include all cursors...

[192939495969798999]

I'm sure that those "free animated george bush cursors" ads that pop-up when I'm surfing around are safe from this, right?

rootkit != death

[jbengt]

You're not seriously comparing getting passwords stolen with a child's death, are you?

Re:rootkit != death

[Rob+the+Bold]

You're not seriously comparing getting passwords stolen with a child's death, are you?

I was wondering when someone would pleeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeease think about the children. Thanks.

Re:rootkit != death

[shadowrat]

You didn't think it through. visit Site computer pwned bank accounts compromised evil madmen use money to buy toys for children CHILDREN DIE!!!!!

Correction

[towsonu2003]

In Soviet Russia, cursors pwn you!

Correction: In Soviet Russia, you pwn cursors! So you might want to live in Soviet Russia... Sorry.

Migrate to GNU/Linux, not Vista

Our company did last year, cities of Vienna and Munich did, French parliament did, it should work out very nicely for you too. Our former XP users love KDE.

No need to put yourself through pains when you can improve security, save money and achieve a good deal of vendor independence all at the same time. Why support the Microsoft monopoly by paying ridiculous prices for bug ridden software with DRM restrictions, when you can run Free software on the industry standard (and thus inexpensive) hardware?

Knowing everything I know now, I only regret that we did not migrate to GNU/Linux sooner.

I don't use the mouse...

you insensitive clod!

kmail

[normuser]

Nice, so basically I'm not supposed to read any emails from people I don't know. Sounds like a viable solution.

Or you could use kmail. It opens all email as "text/plain" by default and has a button to display active content on an email or sender basis.

Pfff. Locked in a vault?

[spun]

The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.

Re:Pfff. Locked in a vault?

[alexandreracine]

The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.

... I could crack that...

Re:Pfff. Locked in a vault?

As long as the defensive lasers, swarm of nuclear smart mines and company of battlemechs dont run Windows Vista :) and move the mouse.

Re:Pfff. Locked in a vault?

[allanc]

... Until someone finds a root exploit for computers controlling the mines, lasers, and battlemechs. Then you're fucked again.

Re:Pfff. Locked in a vault?

[Cervantes]

Please don't give Steve Balmer any ideas.

Re:Pfff. Locked in a vault?

The most secure computer is the one that never gets built. Try hacking that!

Re:Pfff. Locked in a vault?

[hszp]

I just read "defensive lawyers" instead of "defensive lasers". Does that count as thoughtcrime here on Slashdot? Or involuntarily insightful?

Re:Pfff. Locked in a vault?

[c]

... unless the lasers, smart mines and 'mechs are running Windows. Then it's p0wn3d, and the Russian mob gets to use an anonymous asteroid as a spam relay.

c.

Re:Pfff. Locked in a vault?

[TheRealMindChild]

Pic?

Re:Pfff. Locked in a vault?

[spun]

Oh sure, you just want to see the stars in the background so you can calculate where in the Kuiper belt it is and hack into it. I know your type.

Re:Pfff. Locked in a vault?

[Phanatic1a]

...with a sign that says "Beware of tiger."

Re:Pfff. Locked in a vault?

[randomaxe]

Is that Vista service pack 2 or 3?

Re:Pfff. Locked in a vault?

[scribblej]

Not anymore; I rooted that box and replaced all it's 1s and 0s with 3s. Just go look.

Re:Pfff. Locked in a vault?

[hetairoi]

so ... where do you keep the off-site backups?

Re:Pfff. Locked in a vault?

[Slashdiddly]

May still be vulnerable to comet cursor...

Yet another reason..

To not use Internet Exploiter.

Is there nothing that can't be exploited in MSWin?

[Viol8]

Processes you can understand having exploits, no coders are perfect. But how the hell have they exposed the underlying cursor API/buffer so that someone can make an exploit out of it except via some idiotic and stupid design decision?? This really beggars belief. If the even the cursor is vulnerable is there *anything* that can be trusted to be secure on a windows PC apart from the OFF switch?

IE loads animated cursors via CSS

[illegalcortex]

For those people saying "turn off animated cursors" and such, I don't think that's a solution. IE allows a webpage (or email if you're using the IE rendering engine in Outlook) to replace your cursor using some IE-specific CSS code. It's as easy as changing the background for a webpage. Examples:

body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">

You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified .ANI file which exploits the hole in IE.

I am almost positive there is no way to disable this in IE.

Re:IE loads animated cursors via CSS

[ip_vjl]

If you run a proxy, it seems you could block them at the proxy level.

This isn't likely to help home users, as it's likely the types of people who are capable of running their own proxy are also not the type to be using IE as their browser. But this might at least help in a corporate environment where all traffic is already going through a proxy.

Re:IE loads animated cursors via CSS

[illegalcortex]

You could probably block the easier ones, yes. But first off, I'm not sure the file has to be named with a .ANI extension. Second, it's probably you could do the CSS via javascript rather than have it hardcoded like in my examples. Doing these two things would make scrubbing via a proxy much more difficult.

Re:IE loads animated cursors via CSS

[ip_vjl]

I'm not sure if it is restricted only to the *.ani extension either. From some of the things I've read, it seems IE might be happy with alternate extensions (like ico or cur). I'm not sure if these are served using a specific MIME type - some things seem to just serve it as plain binary data (application/octet-stream) but I'm not sure if that's the 'correct' MIME mapping.

To address your other point, even if the object is called by obfuscated CSS inside of JS, it shouldn't be a problem. I'm not talking about removing the call to the cursor from the source document's HTML. I'm talking about blocking responses to HTTP requests that return that type. Even if the source was obfuscated, the actual HTTP request/response is scrubbable.

The problems I can see are if:
1) IE doesn't use extension or mime-type, but instead examines the binary data - as then there's no good way to block it.
2) You're loading one of these from an HTTPS site, since the proxy wouldn't know what you're requesting.

Re:IE loads animated cursors via CSS

[illegalcortex]

Well, I was trying to come at it from both points, since you weren't specific about the kind of proxy. Just pointing out that you could probably get around both solutions.

Re:IE loads animated cursors via CSS

The advisories I've read say it's possible to name these cursors .JPG... I can't think of any way at all to block these. Outlook Express is vulnerable to these when displaying plain text e-mail ffs...

Fortunately our users only have open internet access at lunchtimes, I'm just hoping none of them get a link to this.

Re:IE loads animated cursors via CSS

[lostboy2]

SANS says they've received reports of the "vulnerability being exploited in the wild using files renamed to jpeg". So, yeah, I think you're right (proxy won't help, unless you're going to block jpegs too).

Re:IE loads animated cursors via CSS

[muellerr1]

This is why when I surf the internet using IE I only visit sites that I personally have coded, and only after a VPN session into the server to ensure that my website has not been compromised.

Un-fragging-believable!

[mmell]

Y'know, if you'd told me that M$ rolled out their new WindowsFS and it had a vulnerability or two, I'd be amused. Not surprised, not shocked, amused. New and exciting technologies rarely work correctly the first time they're tried.

If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.

If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.

The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?

I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .

IE protected mode

That's not quite true. The vulnerability does allow execution of arbitrary code, however protected mode IE limits the scope of what the running code can do. With protected mode IE, IE (and any processes spawned by IE) cannot write data to arbitrary locations, cannot send window messages to arbitrary windows on the user's desktop and cannot take advantage of most of the abilities that most users have. This applies even if the user is an administrator.

Protected mode IE *does* have the ability to read anything that the user would regularly have access to, and through a helper application (ieuser.exe) is able to ask the user to download files or change IE settings. And anything else the user does in that particular IE process can be read or altered.

So with protected mode IE the vulnerability does allow the execution of arbitrary code and it can steal your data files, but it can't write to your regular files or system files.

Re:IE protected mode

[Joe+The+Dragon]

The flash plugin seems to need Protected mode turned down or off to work so hacking may code it to use plug in to hack into the rest of the system and flash is used so many web sites that people can't do with out it.

Re:IE protected mode

That's good. Way to go Microsoft. But let's not forget what the ability to run arbitrary code allows for.

If it finds a local vulnerability that can bypass protected mode (e.g. a kernel vulnerability) then it can simply use an IE exploit as a stepping-stone for a more dangerous exploit.

Sandboxed or not, the ability to run arbitrary code is very dangerious.

Re:IE protected mode

[_ivy_ivy_]

protected mode IE limits the scope of what the running code can do.

...at least until there are confirmed privilege-escalation exploits published. This feature makes windows more secure, but it is not a silver bullet.

Re:IE protected mode

[shutdown+-p+now]

It could also turn your IE into a spambot. Now, sure, it will only last for as long as that copy of IE is running, but some creative modification of IE cache (to which it also obviously has access) to insert the required code into a few most visited .html files - say, the user's home page - should make sure that every time IE is started, the exploit gets applied again.

Hardly!

[Petersko]

The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.

That's far too much technology that needs to be trused. What if the protective equipment is compromise, and the battlemechs dig the computer up using the mines and the lasers, and then install a Sony rootkit on it?

No, the most secure computer would be one unharmed while everything else in the universe gets turned into space dust.

Re:Hardly!

[lostboy2]

What if the protective equipment is compromise, and the battlemechs dig the computer up using the mines and the lasers, and then install a Sony rootkit on it?

True, because, as we all know, battlemechs love Celine Dion.

Re:Hardly!

[oni]

What if the protective equipment is compromise, and the battlemechs dig the computer

that's the beauty of this system. The secure computer isn't actually buried in the asteroid. That computer is just a misdirection (and it's filled with nerve gas btw). The real secure computer was secretly given to Chuck Noris 30 years ago.

Re:Hardly!

[fireylord]

yes, because those battlemechs will die when they breathe in the nerve gas released into vacuum

Re:Hardly!

You don't know how often that happens in the Kuiper belt, it's amazing!

Good heavens...

[Petersko]

trused? compromise? Mornigs suk as.

Another stupid buffer overflow...

[GogglesPisano]

It boggles the mind that (fully patched) XP, IE7, and Vista are still vulnerable to buffer overflow attacks. It's 2007 for god's sake, not 1987.

Any use of a stack-based static-sized buffer should have thrown up huge red flags during code review. To have unchecked use of a static buffer make its way into production code is inexcusable in this day and age, particularly at Microsoft.

Re:Another stupid buffer overflow...

[I'm+Don+Giovanni]

And yet Firefox, with millions of eyes pouring over the code, has buffer overflows and exploits aplenty (or have you not noticed the ever increasing frequency and size of Firefox security updates recently?). Software developers are human beings, not robots, and are imperfect. Live with it.

Re:Another stupid buffer overflow...

[geekoid]

It's that attitude that's got us where we are now.

Proper design can end buffer overflows.

Re:Another stupid buffer overflow...

[fireylord]

at least they're patching exploits in a timely manner. . .

Re:Another stupid buffer overflow...

Proper design can end buffer overflows.

Human programmers are pretty adept at ignoring designs, too, proper or otherwise. You can design your system all you want to be idiot-proof, but your system is a mass of source code waiting to be compiled, and someone is always going to be able to add on to that system in ways that will break your design.

The only real way to end buffer overflows is to use tools that make them impossible to implement, no matter what the programmer tries to do. In other words, programming languages/compilers that prohibit unsafe memory operations.

(A theorist will probably come along now and say even that's not good enough, because you can't prove that the language/compiler is truly safe, except for certain very formal research languages designed specifically to be rigorous. And they're probably right, but unless you're designing software that goes into medical devices or avionics (and where they've understood these issues for decades), it's not a practical concern.)

Supposedly the newest code does prevent it

[Beryllium+Sphere(tm)]

Microsoft's advisory claims that IE7 in protected mode isn't vulnerable.

Re:Supposedly the newest code does prevent it

[Locutus]

no they don't. It says that the damage is contained but that the attack is still operational. But I see where you could confuse the two.

LoB

Why you should care

If root gets pwned, you cannot trust your system OR your data. It could have put a trojan or backdoor in and you'll never know. You will now have to reinstall your system, reinstall your applications, reconfigure your system and then load your data from backup.

However, if a user account is pwned, you cannot trust your data. Either scan or load from backup.

So that's why you don't want "root" compromised.

And that is without going in to things you just can't DO as a normal user (raw sockets or even bind to ports 1024)...

Buffer overflows

[Twillerror]

This is a flaw of computers....yes it results from bad coding...but should a simple mistake allow for code to be executed.

Why doesn't the no execute bit fix this?

Ah yes

[loconet]

Although I use Linux exclusively at home/work, here I am, silly fool, giving the benefit of the doubt to Vista and its "enhanced security". I've always been aware IE's ability to create holes in the most unrelated portions of the OS (cursor, help pages, etc) and yet, I thought that Vista, maybe, just maybe actually was worth its 5+years of development and it was not all spent in DRM crap. How foolish of me. Here is yet again another seemingly unrelated functionality affected by the disaster that is IE. I will not be surprised if tomorrow IE can make your desk lamp vulnerable.

Re:Ah yes

[Keeper]

Your rant might be interesting if, perhaps, malicious action were possible with this exploit on Vista. (it isn't)

Re:Ah yes

[loconet]

What part of "Successful exploitation allows execution of arbitrary code. NOTE: The vulnerability is currently being actively exploited." do you fail to understand?

Re:Ah yes

[Keeper]

What part of "Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode" do you fail to understand?

Re:Ah yes

[loconet]

If you actually bother to read the article you will see that IE (directly) is actually not the only affected software. Versions of Outlook before 2007 are affected and thus any Vista installation running that. Once again, VISTA is affected. period.

Re:Ah yes

[AaronLawrence]

To be fair: IE is only using a feature of the OS that "should" be working already.

Of course, this goes to the basic problem with making web browsers more and more like client applications (cf ActiveX): all those millions of lines of code were never designed or coded or tested to survive malicious attacks.

Lesson: any network facing application (including EVERY feature of a web browser) MUST be held to a much HIGHER standard than operating system code that runs locally.

Privox Rule Anyone?

Anyone have a privoxy rule to strip the css cursor element out?

IE protected mode is the default (nt)

no text

I tried to give MS some feedback on their advisory

So I thought I'd do MS a favour and give feedback for the first time ever.

How would you rate the usefulness of this content ?

(I picked 'Poor'.)

Tell us why you rated the content this way. (optional)

1. Insufficient explanation on how to avoid problem.

2. Insufficient explanation on who is vulnerable: I don't use IE, Outlook, Outlook Express, Media Player; I don't use animated cursors - am I vulnerable? If so, through what path? Are responsibly and competently built Web browsers and mail clients (e.g. Firefox, Opera, Thunderbird) vulnerable? How?

3. Weasel words on 'specially crafted' Web pages and emails. Don't imagine this kind of misleading garbage makes you look any better. If you can't say something useful, don't say anything.

It said:

Please limit comments to 256 characters.

Nick

April 1st allready?

so... animated cursors compromising security anyway????
HOH can anyone mix those concepts?

Arbitrary Code?

[Molecular+Mechanic]

Why do they always say this?

I doubt it would be arbitrary code.

I'll bet it would be some specific code the bad guys want to run.

FWIW.

Molecular Mechanic

Don't worry !

[udippel]

The Microsoft Advisory - whom we all trust - shows that the fuzz here in /. is unnecessary.
RTMF (Read The Mitigating Factors) !:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

See, much ado about nothing !:
  - the attacker would have to host a web site [surely, they couldn't, could they !]
  - the attacker could compromise a web site [probably they would not know how to, would they !]
  - the attacker has no way to force the user to visit a specific website [see !]
Especially the latter gave me complete relief and peace of mind ! I can't be forced, that means I am as good as safe ! Yahoo !
  - the attacker would need to persuade us [just told my wife not to answer the phone or door bell]

Not running my web browser as administrator [I don't] seriously limits the potential damage, thanks to Vista's unique feature of unprivileged user accounts.

Thanks, Microsoft, for an informative advisory; and a comprehensive and clear list of mitigating factors !
Thanks, Microsoft, for debunking so-called "extremely critical" vulnerabilities as myth, again !

Re:Don't worry !

[illegalcortex]

Even more reassuring is their comment on the e-mail vector:

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.

Recommendation: Do not visit untrusted websites or view unsolicited email

Re:Don't worry !

[mabu]

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.

Whew... for a moment there I was scared... apparently you can only be infected if you go to some web site that someone else has. And we all know how difficult it is for professional hackers to be able to set up web pages, and how rare it is for people to click on a link and go to that page.

This explains why Microsoft hasn't patched this issue yet. The mitigating factors are obviously quite obscure.

Re:Don't worry !

Yea. And phishers and hackers have never thought of combining exploits.

Cursor exploit + click exploit = system hacked
Cursor exploit + status bar exploit = system hacked
Cursor exploit + redirection/cross-site-scripting hack = system hacked

No need for a whole mile

[illegalcortex]

Turn off your computer and make sure it powers down
Drop it in a forty three foot hole in the ground
Bury it completely, rocks and boulders should be fine
Then burn all the clothes you may have worn any time you were online

Re:No need for a whole mile

[gardyloo]

Then burn all the clothes you may have worn any time you were online Nice poem. But who the hell wears clothes when they're online?!? I mean, I'm not . . ..

        Nevermind.

hot spot misdirection

[BagMan2]

I suspect that what is actually happening with this exploit is they are simply creating an animated cursor that makes the cursor appear somewhere it is not (ie, the hot-spot is not where the user thinks it is). The web page then goes to execute code and when it asks the user for permission and they click on 'no', they are actually clicking on 'yes', since the cursor hotspot is not where the visual cursor would indicate that it really is. No 'root' access needed or anything else...I suspect even a linux browser could be vulernable to such tricks.

Re:hot spot misdirection

[Dan+Stephans+II]

What part of your research led you to this conclusion?

What might an attacker use this function to do?
An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type. Perhaps you could expand your research into the actual issue. (Above italics taken from the microsoft advisory, clearly indicating that arbitrary code can be executed and it's not a "relocated hot spot").

Re:hot spot misdirection

[BagMan2]

First off, I don't offer this theory as a well-researched endeavor, merely casual speculation. Just theorizing what it might be since they are intentionally vague. The italic text you quote does not preclude my explanation, in fact, one could argue it supports it. It basically states that the affected system (ie, the one with the cursor displaying off the hotspot) could cause code to execute when visiting another website/email. It doesn't say how the attack causes the code to execute. It seems reasonable to me that it causes it to execute by fooling the user into authorizing the execution when the user thinks they are not authorizing it. The successful attack is not contrained by the .ani file type, which makes sense, since the ani file is simply causing the misdirection...the actual code executing could be coming from some other source.

Re:hot spot misdirection

[tinytim]

This wouldn't work - the animated cursor only appears when the cursor is over the web page and would go away once the mouse was over the dialog box with the "yes"/"no" buttons you mention.

What's actaully happening is that the HTML/CSS is telling IE to display a *.ani file. IE dutifully retrieves this file and says "Here you go OS, display this." The OS takes the *.ani file and tries to parse it, but it's intentionally corrupt. The OS chokes on the corruption and winds up executing the cursor image data instead of displaying it.

A buffer overflow goes something like this:

1. Reserve storage space below for 10 images.
2. Set the 11th stored image to the value "format c:".
3. Jump to step 15.
4-14. Storage space for 10 images goes here.
15. Display image 1.

Step 2 winds up changing step 15. to "format c:" since it sets the 11th item when there is only space for 10.

MS Windows isn't stopping at step 2 and saying "Wha? There is no 11th storage space. I give up!".

This simple example makes a couple of fixes seem easy enough, but they're "hard" in practice once you add in the complications of real life.

Re:hot spot misdirection

It seems reasonable to me that it causes it to execute by fooling the user into authorizing the execution when the user thinks they are not authorizing it What authorizing needs to be done? Buffer Overflow, Google it.

Re:hot spot misdirection

[BagMan2]

Yeah, I figured when the OS window got focus it would take over the cursor image and then it wouldn't be an issue, which may be why the exploit I describe hasn't happened. But what if the web page they were visiting were able to capture the mouse and then release it right as they click, thus routing the mouse message (which is misdirected) to the OS window at an unexpected spot. I know, it's a long shot and in practice little things like the OS window never getting the button-down (only the button-up) would probably prevent it from working, but you never know what little bugs might exist that might allow something like this to work.

As far as the buffer-overflow vulnerability is concerned, that is certainly a reasonable explanation, but why would subsequent visits to other websites by the affect machine be required if that were the case? Once the unauthorized code was executing, no other actions would be needed in theory (unless they simply didn't have enough space for the full code image in the hack).

Also, you explanation about how buffer overflow attacks work is a bit off. The buffer in question is typically on the stack, located far away from the code-image. Overflowing the buffer doesn't actually tromp the code that is going to execute. Instead, since the stack grows backwards, the overflowed data actually overwrites the return-address that the function will return to (which is located on the stack).

Typically how the hack would work in this case is images 1 through 10 would actually be binary code images. The 11th image that overflows tromps the return-address. The binary data you stick into the 11th image needs to be memory-address on the stack where the other 10 images are stored. When the function returns, it pops the return-address off the stack and starts executing code at that address (which after the overwrite will be the code stored in images 1 through 10).

This is a very difficult attack to pull off, since the .ani file that contains the binary images in question needs to know in advance where the stack-frame will be in memory at the time the image is executed. In many cases, that varies quite a bit depending on what else is happening in the system, but in some cases it will tend to end up in the exact same place each time that function is visited.

This is also why the latest in security is the no-execute bit on the processor. Since the actual code-image being executed for the hack does reside on the stack, simply marking the stack-frame as no-execute can prevent this entire class of hacks from working. The problem is that in the past, executing code-images in the stack frame has been used for legitimate purposes, and unfortunately it's an all or nothing solution.

Re:hot spot misdirection

Wouldn't work. The custom cursor would be used when the mouse is over the webpage, not when it's over any dialog box.

the only solution

[VinB]

Solution: For God's sake, man, pull the plug!

obligatory haiku

[radiotyler]

oh, windows cursor!
your vista features amaze!
where is my O/S?

Re:obligatory haiku

[Nazlfrag]

the cursor wanders to territory unknown even by its maker

Not a hotspot issue.

[mmell]

I suppose a background in Computer Science would help . . .

This is a static buffer overflow exploit. Even Firefox and Opera under Windows are not vulnerable to this exploit - and I find it exceedingly unlikely that any Linux users are using IE6 or IE7 to surf the web from Linux :^)

But you're right to note that a browser vulnerability could easily be found on any operating system which supports the vulnerable browser. Does Linux support IE (more accurately - does MicroSoft support IE under Linux)?

Re:In other news...SSSSSSSSSPPPPPPPPPAAAAAAMMMMM

quit spaming that link obvisouly you want people using cursors so they can get hacked by the new improved version of the exploit. Time to go out of business.....

Workaround

[slyxter]

The accessibility options in IE allow you to specify your own CSS file. Just set the animated cursor in there to a known safe value and you are all good. Or download Firefox and Thunderbird.

Boy...

[Zebra_X]

Sure am glad I just upgraded to Vista and Office 2007:

Mitigating Factors for Animated Cursor Vulnerability

  Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.

  By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.

I think the important thing here to note is that MS is actually delivering on it's promise to deliver a more secure OS and set of applications for users.

Third party patch ... eEye

[whitehatlurker]

eEye has made available a "zero-day patch" for this.

The patch blocks the loading of cursors from directories other than those below the Windows base directory. Source included.

Re:In other news...SSSSSSSSSPPPPPPPPPAAAAAAMMMMM

[AndroidCat]

Whoooooosh!

BBC says you are saved if you use IE7 on Vista.

[Ysangkok]

BBC says you are saved if you use IE7 on Vista. Look in the bottom of the article mentioned in "Related Stories". Furthermore, the Secunia entry doesn't mention that you just have to run another browser than IE.

Most likely...

[Dareth]

... it will be a cursor from Soviet Russia that will "pwn" all the stupid Americans.

status quo

[psbrogna]

Looks like "Windows Vulnerability" will be a redundant phrase for another 20 years.

"zero day"

[I'm+Don+Giovanni]

"Sure, but this is still a zero-day exploit for everybody who hasn't upgraded to Vista, and everybody who hasn't turned on IE7 Protected Mode. (The MS website seems to imply that IE7 Protected Mode is not the default). That leaves at least 95% of the installed base of desktops vulnerable."

"Zero day"? Did you say, "ZERO DAY"??? OMG!!! It's ARMAGEDDON!!

Sorry, "zero day", while it has meaning, is mainly used for sensationalism. PANIC!!

BTW, on Vista, IE7 does run in protected mode by default.

come on now

Who gives a crap about animated cursors..

Re:The Solution is Amazing part 2

[k1e0x]

> Solution: It says to update your computer.

(even though there is no patch)

What idiot..

..is responsible for applying tags??

Sure, it's a stupid bug, but how exactly is this "defectivebydesign"?

very funny!

LOL, you're funny. Well, obviously what I meant was that no program (chunk of code; no matter how big or small) should ever be executed (from a site that isn't "trusted") without the user's permission. If, for example, a web page wanted to run its own program to control how a "busy" cursor is displayed, then I do think the user should be asked...but only ONCE!!! LOL. It would ask you once at the beginning (if it is okay to execute code) but I still think that no user application should be able to mess with system files/folders and registry entries outside of the ones for the program itself.

INTERNET EXPLORER: www.slashdot.org: Okay to execute code? (WARNING: This action can jeapardize system security and put your computer at risk of being infectef with a virus!!) (Allow) *(Deny)*

Vista = Blanket Security only.

[k1e0x]

Despite being based on NT/2k/9x/XP/or WTF. Microsoft Vista has around 50,000,000 lines of code dating back to the early 1980's.

Microsoft has taken a position not to evaluate that code and make it more secure, instead they have introduced blanket, catch all, security measures. Firewalls, Stack Protection, Authorize Dialogs, protected processes etc. So what you basically have is a very insecure OS covered up by a security layer.. This is not a secure OS, a Secure OS does not need a protective layer wrapped around it, a secure OS does not need a firewall, why? because its internally secure without it.

The same people who are saying the catch phrase line "Microsoft did a pretty good job with Vista" are the same people who said the same thing about XP and 2k and NT. I remember hearing it.. "I think Microsoft did a pretty good job with Windows XP." That means they accept that its flawed, and there is risk running it, but they don't want to acknowledge it?

Firefox is also vulnerable to this Windows flaw

[thisispurefud]

Determina security research says Firefox users are vulnerable to this Windows flaw because Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer

Re:Firefox is also vulnerable to this Windows flaw

[Dachannien]

Does Firefox load an animated cursor automatically if the web page instructs it to, like IE does? Or does it require some affirmative action (e.g., clicking on a link) to happen?

Re:Firefox is also vulnerable to this Windows flaw

[thisispurefud]

yes, Firefox is vulnerable like IE.
You simple put an .ani, or renamed ico, or renamed jpeg in an HTML page and Firefox automatically parse it and a trojan is automatically installed

That's a relief

[DrSkwid]

Cool, so all I lose is all my work, phew!
While the files I can easily replace are specifically protected from harm.

You made that giant bug turn into a feature, well done.

Re:That's a relief

[devilspgd]

Files can be restored easily -- Right click, choose "Previous versions" and go nuts. Harrah for shadow copies.

Re:That's a relief

[fireylord]

hurrah indeed! and only 10 years behind a certain other os!

Re:That's a relief

I don't know which OS you are talking about. I hope you aren't refering to Linux, *BSD or OSX. Those are all monolithic kernels, a design which was obsolete over 30 years ago.

Re:That's a relief

[DrSkwid]

"To remove all system restore and shadow copies except for the current restore point, click Clean Up under System Restore And Shadow Copies. When prompted to confirm that you want to delete this data, click Delete."

If a virus wants to clean out my profile for me then it's not a very far leap to 'deltree $profile /Y; take snapshot; Clean Up Shadow Copies' thus leaving me with a snapshot of my empty profile.

Re:That's a relief

[devilspgd]

This requires administrative privileges. If the user is planning on granting admin privileges, then obviously the malware owns the system.

Huh?

[woolio]

By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.

I think the important thing here to note is that MS is actually delivering on it's promise to deliver a more secure OS and set of applications for users.

I've also noticed that Outlook uses *Word* to display HTML... That just sounds really wrong... Does Word do Javascript? Can HTML pages trigger Word macros? Can they interact with other Word documents? Can the Word templates be accessed? I'd hope the answer is no in all cases, but this is Microsoft we're talking about... And they have had trouble with this type of stuff before.

Re:Huh?

No to all of the above. An attacker would need to find a bug in Word to perform any malicious action.

All hail

[Some_Llama]

and behold the TRUE power of the Comet Cursor! Bwhahahaha

If you can't trust your cursor ...

[Shadowlore]

who can you trust?

There is an exploit in the wild

[rgo]

It's called...

Comet Cursor.

Sandboxing is not an admission of failure

[Beryllium+Sphere(tm)]

>Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole...

OpenBSD took code auditing as far as human beings could take it and then decided that privilege separation was necessary. It's not the same thing as IE 7 on Vista's "protected mode", but it follows the same principle of limiting privileges of code that doesn't need them. OpenBSD did both, and there's evidence that Microsoft is doing both.

My compass through the hype about Windows security is to look at what kind of code the bugs are in. Newer code seems to be genuinely cleaner, and some of the worst bugs (the whole series of WMF vulnerabilities for example) have been in code old enough to drink legally.