Windows Vulnerability in Animated Cursor Handling

MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."

First Pwndst

So much for Vista being secure from the ground up!

Re:First Pwndst

[Luscious868]

So much for Vista being secure from the ground up!

Vista is secure from the ground up ... just so long as your running it in a VM on some other OS.

Why would my cursor run as root?

[Dr.+Zowie]

Huh? This boggles the imagination. I would have thought they'd have learned about security rings while rebuilding their entire OS from the ground up (as Longhorn was reputed to do).

Re:Why would my cursor run as root?

[644bd346996]

What part of "Successful exploitation allows execution of arbitrary code." do you not understand? This is a hole that lets crackers do a lot more than crash your computer.

Re:Why would my cursor run as root?

[644bd346996]

Sure, but this is still a zero-day exploit for everybody who hasn't upgraded to Vista, and everybody who hasn't turned on IE7 Protected Mode. (The MS website seems to imply that IE7 Protected Mode is not the default). That leaves at least 95% of the installed base of desktops vulnerable.

Re:Why would my cursor run as root?

Who cares if it runs as root or not?

You're missing the point, so are many others. If it runs as root/admin it means it can easily makes itself completely invisible to the system. Fake infos given to an anti-virus, etc. Completely stealth. It also means it can spy you silently in the background. If an exploit is root, the only way to detect it is from another system. You simply can't trust your OS anymore, unless you reinstall everything from scratch. What makes you think a local exploit would detect your data or a root exploit would trash your whole OS? This is not what exploit do. Exploits nowadays are used to zombify machines (way more effective when the exploit is a root exploit) and to steal user data, to fake your identity. Also much more likely to succeed if the exploit is root (on some OSes, including some Windows version, you can't install a key-sniffer unless you're root).

What is worse to you: having all your data stolen/erased once or having all your passwords sniffed, everything you type spied for months and regularly sent to some bad guy and having all your personal data sent and then, at one point, deleted?

The level of short-sightedness of your comment is quite sad. Oh, and my data are backup up daily to a server running in a VM and weekly burned on DVD. If deleting your user dir is "digital death" for you, you'd better learn 101 about backups and also, probably, invest in some RAID setup (you do realize that, if a trojan destroying your data would be "digital death" [sic] to you, a nasty hard disk could "digitally kill you" right?)

And anyway, on most systems, once you've got a remote non root exploit it is usually easy to combine it with a local root exploit... So it is true that I don't care very much about wether the exploit is root or not: I'd consider a Unix with a seamingly non-root exploit exploited to have been completely rooted and so do I for Windows machine.

Re:Why would my cursor run as root?

Redicolous argument. You'd be just as hosed by a hardware fault. You'd better log out and run to buy some tape/cdr, if you really value your data that highly since you apparently don't do backups..

Re:Why would my cursor run as root?

[Locutus]

you this that's bad, there was another security flaw in the mouse code announced over 15 months ago( Jan 05 ). They patched that but never examined the code for other exploits. I mean really, if you've got SOOO much freaking legacy code, you'd atleast want to be refactoring what you have to touch because of bugs or, for example, security holes.

http://www.checkpoint.com/defense/advisories/publi c/2005/cpai-2005-06.html

But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.

Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.

LoB

Re:Why would my cursor run as root?

[shutdown+-p+now]

Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features.

Let's see.

• Internet Explorer 7
• Firefox 2.x
• Opera 9

Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?

MS took an enormous step in security with their release of IE 7

If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.

This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.

It already haven't been. The guys who found the exploit say that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.

In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.

It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.

Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?

Until a patch is released, turn off active cursors.

HOW? Because, you know, your very own security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!

Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.

Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.

Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without rep

This old?

[LinuxGeek]

With exploits as old as this one, it makes me wonder just how many high level hackers/crackers have used this in silence over the years. It could pay very well to keep ploits such as this one silent for as long as possible.

Re:This old?

[truthsearch]

This is a perfect example of how using Microsoft's official list of exploits is a mostly meaningless metric to determine how secure the OS really is. It gives no indication of security holes being secretly exploited for years.

Re:This old?

[rbochan]

A decade ago it was screensavers... you've come a long way baby...

Re:This old?

[LilGuy]

If it were true that this was exploited for years, why would it come out now? Has something even better been found and thus this one can be trashed?

Why does it get to be this bad?

[140Mandak262Jamuna]

Well, one can understand programmers making stupid mistakes, and creating vulnerabilities. And everytime you add features, whether it is important or just bells and whistles, you always run the risk of opening up another vulnerabilities. Granting all that, why is it that, in 2007, after Vista, with "Security is Job 1 in MSFT", why does a vulnerability in a browser goes all the way up to executing arbitrary code? Browsers are expected to get data from untrustable sites, they should have heavy armour protection. Why the users are putting up with this nonsense?

Some stupid consumer protection council reports that some part of some toy can come apart and present a choking hazard to children. "As many as 3 children could have died over the last 10 years because of this!" Suddenly all news organizations act as though the sky has fallen, and on slow news day, it is even the lead story! Here we have a hazard that could get your machine rooted and pwned and steal your password and sell it in the organized crime networks, ... and the world reacts with a collective shrug.

Sorry, for the rant, I know I am preaching to the choir, just need to get it off my chest.

Re:Why does it get to be this bad?

[tijmentiming]

You missed the point. He only says it's weird that people shrug when software is insecure. It's a not a rant to microsoft, but to people who shrug.

Re:What's to investigate?

[rbochan]

...Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed...

That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X.
You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.

Re:What kind of mouthbreather would even...

[Rob+T+Firefly]

I'll own up and admit to having used exclusively animated cursors in the past... but then again, I was a mouthbreathing teenager in the mid 1990s with my first Pentium. I also had Star Trek WAVs hooked to all my Windows events, ran After Dark's screensaver app at all times, used any excuse to look things up Compton's Interactive Encyclopedia CD-ROM, and obsessively hoarded Voyager publicity photos from Compuserve. A few blinky wiggly pointers shaped like phasers and lightsabers were the least of my crimes against good taste, but frankly, I would have totally deserved getting owned as a result.

Re:goddam hackers

[Just+Some+Guy]

Guess you are STILL a Computer Scientist student. If you are doing something that has no impact on security (this is image processing dammit) the value of your software is in what it does, not in how it resists to every possible abuse.

I was going to try to be calm and rational about this, but screw it.

It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).

You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.

Seriously. Quit before you break something.

Un-fragging-believable!

[mmell]

Y'know, if you'd told me that M$ rolled out their new WindowsFS and it had a vulnerability or two, I'd be amused. Not surprised, not shocked, amused. New and exciting technologies rarely work correctly the first time they're tried.

If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.

If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.

The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?

I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .

Why you should care

If root gets pwned, you cannot trust your system OR your data. It could have put a trojan or backdoor in and you'll never know. You will now have to reinstall your system, reinstall your applications, reconfigure your system and then load your data from backup.

However, if a user account is pwned, you cannot trust your data. Either scan or load from backup.

So that's why you don't want "root" compromised.

And that is without going in to things you just can't DO as a normal user (raw sockets or even bind to ports 1024)...

Ah yes

[loconet]

Although I use Linux exclusively at home/work, here I am, silly fool, giving the benefit of the doubt to Vista and its "enhanced security". I've always been aware IE's ability to create holes in the most unrelated portions of the OS (cursor, help pages, etc) and yet, I thought that Vista, maybe, just maybe actually was worth its 5+years of development and it was not all spent in DRM crap. How foolish of me. Here is yet again another seemingly unrelated functionality affected by the disaster that is IE. I will not be surprised if tomorrow IE can make your desk lamp vulnerable.

Don't worry !

[udippel]

The Microsoft Advisory - whom we all trust - shows that the fuzz here in /. is unnecessary.
RTMF (Read The Mitigating Factors) !:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

See, much ado about nothing !:
  - the attacker would have to host a web site [surely, they couldn't, could they !]
  - the attacker could compromise a web site [probably they would not know how to, would they !]
  - the attacker has no way to force the user to visit a specific website [see !]
Especially the latter gave me complete relief and peace of mind ! I can't be forced, that means I am as good as safe ! Yahoo !
  - the attacker would need to persuade us [just told my wife not to answer the phone or door bell]

Not running my web browser as administrator [I don't] seriously limits the potential damage, thanks to Vista's unique feature of unprivileged user accounts.

Thanks, Microsoft, for an informative advisory; and a comprehensive and clear list of mitigating factors !
Thanks, Microsoft, for debunking so-called "extremely critical" vulnerabilities as myth, again !