Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Vulnerability in Animated Cursor Handling

Posted by Zonk on from the mind-those-hilarious-icons dept.

MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."

6 of 338 comments (clear)

  1. Only affects rendering using the IE engine... by bubbl07 · · Score: 5, Interesting
    From a McAfee Avert Labs blog article:

    Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.
    Moral of the story: don't use the IE rendering engine for cursors by avoiding using the IE web browser and by not using untrusted animated cursors in Windows.
  2. Re:First Pwndst by Anonymous Coward · · Score: 5, Interesting

    It was. The vulnerability still affects Vista, but due to the different security subsystem the exploit can't really do anything. It sits stuck in a "protected mode" IE7 instance which can't do anything, not even fuck with the current user's profile. The exploit is effectively contained at that point.

    Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.

    You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.

  3. Re:First Pwndst by Frizzle+Fry · · Score: 4, Interesting

    IE is safe in Vista because it runs in a super locked-down "protected mode". Windows Mail (aka Outlook Express) doesn't, so it makes sense that IE7 in Vista is immune to this but Mail isn't.

    --
    I'd rather be lucky than good.
  4. Re:Why would my cursor run as root? by klubar · · Score: 3, Interesting

    FYI... protected mode is the default. You have to try pretty hard to disable it... Of course Adobe in their infinite wisdom requires you to turn off protected mode to be able to write PDF (using acrobat) from IE. More adobe's fault than anything else.

  5. Re:IE protected mode by shutdown+-p+now · · Score: 3, Interesting

    It could also turn your IE into a spambot. Now, sure, it will only last for as long as that copy of IE is running, but some creative modification of IE cache (to which it also obviously has access) to insert the required code into a few most visited .html files - say, the user's home page - should make sure that every time IE is started, the exploit gets applied again.

  6. Re:First Pwndst by Bungie · · Score: 4, Interesting

    The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.

    --
    The clash of honour calls, to stand when others fall.