Slashdot Mirror
Windows Vulnerability in Animated Cursor Handling
MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."
Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. - <sarcasm>well, we all know not to open specially crafted e-mail messages and attachments.</sarcasm>
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. - I can give an advice even without an expensive investigation. Do not use MS IE, do not use MS Outlook, do not allow animated anything on your desktop and probably the best thing to do is to finally just plain not to use MS, but in many cases it is not an option.
Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed. Turn off all animations, turn off 'show content while dragging window' option, switch to 'classic' look for the look of the Explorer, make sure that there are no thumbnails, switch to 'details' in the Explorer, make sure to show extensions on all files, make sure to apply to all folders and turn of 'Remember each folder settings' option.
I am not certain that this will prevent this particular problem, but not using IE and Outlook most likely would (while using other email clients do not allow active content to execute and do not trust attachments ever.) It's a real pain, it would be much better to run MS Windows in a virtual machine on GNU/Linux (VMWare I suppose.)
You can't handle the truth.
'With', not 'and'. In other words, IE7 on XP could still be vulnerable, or Vista could by opening the cursor file through some non-IE7 means.
Vista w/ Windows Mail seems to be vulnerable.
My apologies, article here.
I guess you are not a student of Computer Science.
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.
The concept is simple actual practice is hard.
A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.
By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.
Who needs animated cursors, anyway?
Also this is not the first flaw affecting animated cursors. I remember having read about that a few years ago. Googling "animated cursor flaw" gets me to 2004-12-29.
So, their problems with animated cursors are really old, back to the NT 4 era.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:
...which has a similar infection vector (by merely visiting a web page you get infected), and went undetected for 54 days.
http://www.secureworks.com/research/threats/gozi/
This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.
Oolite: Elite-like game. For Mac, Linux and Windows
Who cares if it runs as root or not? It really doesn't make too much of a difference except on a multi-user system. I don't care about my OS installation--that is easy to do again. What I do care about is my data. Deleting or corrupting files in my user profile directory (C:\Documents and Settings\user\* or /home/user/* -- take your pick) is digital death for me (assuming a backup will not restore properly or new data hasn't been backed up yet).
It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".
Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.
I don't know that there is any way to turn that off in IE or Outlook using IE's rendering.
For those people saying "turn off animated cursors" and such, I don't think that's a solution. IE allows a webpage (or email if you're using the IE rendering engine in Outlook) to replace your cursor using some IE-specific CSS code. It's as easy as changing the background for a webpage. Examples:
.ANI file which exploits the hole in IE.
body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">
You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified
I am almost positive there is no way to disable this in IE.
That's not quite true. The vulnerability does allow execution of arbitrary code, however protected mode IE limits the scope of what the running code can do. With protected mode IE, IE (and any processes spawned by IE) cannot write data to arbitrary locations, cannot send window messages to arbitrary windows on the user's desktop and cannot take advantage of most of the abilities that most users have. This applies even if the user is an administrator.
Protected mode IE *does* have the ability to read anything that the user would regularly have access to, and through a helper application (ieuser.exe) is able to ask the user to download files or change IE settings. And anything else the user does in that particular IE process can be read or altered.
So with protected mode IE the vulnerability does allow the execution of arbitrary code and it can steal your data files, but it can't write to your regular files or system files.
The MS website seems to imply that IE7 Protected Mode is not the default
It is on by default for all but the trusted zone.
That leaves at least 95% of the installed base of desktops vulnerable.
Or you know.. not..
There seems to be about 15% of us that are just so crazy we switched our browsers to Firefox or Opera... I would recommend it.
Because one of the "good guys" finally found it and reported it. The "bad guys" weren't ever going to squeal.
If you're going to be elitist, it would help to be elite.
Well, as another poster already said, it would be best if untrusted applications (like web browsers) were run as a different user from your main account. The only way it could access your data would be to require a password for privilege escalation. Unfortunately I don't know of any OS that does this. SELinux is neat, but I'm not sure it can do this without being overly restrictive.
Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.