Slashdot Mirror
Windows Vulnerability in Animated Cursor Handling
MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."
It doesn't run as root, it can run in any security context. This exploit just crashes explorer, it doesn't crash Vista. However this is still a problem for Joe Average, who won't know what to do when explorer goes into a crash-restart-crash loop.
NO WONDER I got viruses on my personal computer by just visiting web sites, and without running any Java Applets or anything that would normally execute any code on my end. Those b**tards were running an animated cursor algorithm?? How in the heck would Microsoft allow the execution of code for that?? Microsoft needs to learn that it is NOT okay to execute code from the Internet without the user's permission, How much longer will it be before they realize this??
It was. The vulnerability still affects Vista, but due to the different security subsystem the exploit can't really do anything. It sits stuck in a "protected mode" IE7 instance which can't do anything, not even fuck with the current user's profile. The exploit is effectively contained at that point.
Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.
You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.
Someone got too greedy? They targeted a rare individual that was more vigilant about their machine?
IE is safe in Vista because it runs in a super locked-down "protected mode". Windows Mail (aka Outlook Express) doesn't, so it makes sense that IE7 in Vista is immune to this but Mail isn't.
I'd rather be lucky than good.
FYI... protected mode is the default. You have to try pretty hard to disable it... Of course Adobe in their infinite wisdom requires you to turn off protected mode to be able to write PDF (using acrobat) from IE. More adobe's fault than anything else.
I will start this response with noting that I work a security team at MS that deals with OS security issues.
Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features. MS took an enormous step in security with their release of IE 7. This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.
In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.
Until a patch is released, turn off active cursors.
All features add attack surface. If you are more concerned about security, such as I am, you will disable features that are neat, but don't add much functionality. I suspect that most users like the neat eye candy.
As for me, I am running Vista on a notebook in power saving mode. I went into advanced settings and optimized for performance, thereby disabling aero / glass. I then went into the control panel and turned off sidebar. I run explorer in Windows classic mode. And yes, I routinely work in a command prompt.
I browse with IE in protected mode. I have gone into the advanced settings and turned off scripting, multi-media, explicitly disabled flash/shockwave, active code, etc. If web sites were understandable in plain text, I would turn of images as well. I would expect that most other browsers would be reasonably safe with such lockdowns -- but much of the web might as well not exist for such restricted browsers. Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.
Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without replacement and an Apple policy that required me to keep buying new OS releases at ~ $150 about every 2 years to keep my security updates, I came to truly appreciate the long term and transparent MS support.
"Sure, but this is still a zero-day exploit for everybody who hasn't upgraded to Vista, and everybody who hasn't turned on IE7 Protected Mode. (The MS website seems to imply that IE7 Protected Mode is not the default). That leaves at least 95% of the installed base of desktops vulnerable."
"Zero day"? Did you say, "ZERO DAY"??? OMG!!! It's ARMAGEDDON!!
Sorry, "zero day", while it has meaning, is mainly used for sensationalism. PANIC!!
BTW, on Vista, IE7 does run in protected mode by default.
-- "I never gave these stories much credence." - HAL 9000
"That is only if protected mode is on right.. so all this allows the 'sploit to do is download all of the user files and use /view any other process that the user has right to?"
I believe you're always in "protected mode;" even when you're on an admin account you're still not in "super user" mode.
Download free e-books, lectures, and tutorials at bookgoldmine.com
It could also turn your IE into a spambot. Now, sure, it will only last for as long as that copy of IE is running, but some creative modification of IE cache (to which it also obviously has access) to insert the required code into a few most visited .html files - say, the user's home page - should make sure that every time IE is started, the exploit gets applied again.
The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.
The clash of honour calls, to stand when others fall.
Files can be restored easily -- Right click, choose "Previous versions" and go nuts. Harrah for shadow copies.
Give a man a fish, he'll eat for a day, but teach a man to phish...