Windows Vulnerability in Animated Cursor Handling

MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."

First Pwndst

So much for Vista being secure from the ground up!

Re:First Pwndst

[Luscious868]

So much for Vista being secure from the ground up!

Vista is secure from the ground up ... just so long as your running it in a VM on some other OS.

Re:First Pwndst

It was. The vulnerability still affects Vista, but due to the different security subsystem the exploit can't really do anything. It sits stuck in a "protected mode" IE7 instance which can't do anything, not even fuck with the current user's profile. The exploit is effectively contained at that point.

Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.

You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.

Re:First Pwndst

[Frizzle+Fry]

IE is safe in Vista because it runs in a super locked-down "protected mode". Windows Mail (aka Outlook Express) doesn't, so it makes sense that IE7 in Vista is immune to this but Mail isn't.

Re:First Pwndst

[Giometrix]

"That is only if protected mode is on right.. so all this allows the 'sploit to do is download all of the user files and use /view any other process that the user has right to?"

I believe you're always in "protected mode;" even when you're on an admin account you're still not in "super user" mode.

Re:First Pwndst

[Bungie]

The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.

Why would my cursor run as root?

[Dr.+Zowie]

Huh? This boggles the imagination. I would have thought they'd have learned about security rings while rebuilding their entire OS from the ground up (as Longhorn was reputed to do).

Re:Why would my cursor run as root?

[644bd346996]

What part of "Successful exploitation allows execution of arbitrary code." do you not understand? This is a hole that lets crackers do a lot more than crash your computer.

Re:Why would my cursor run as root?

What part of "Successful exploitation allows execution of arbitrary code." do you not understand?

Successful.

Re:Why would my cursor run as root?

[FreshMeat-BWG]

Who cares if it runs as root or not? It really doesn't make too much of a difference except on a multi-user system. I don't care about my OS installation--that is easy to do again. What I do care about is my data. Deleting or corrupting files in my user profile directory (C:\Documents and Settings\user\* or /home/user/* -- take your pick) is digital death for me (assuming a backup will not restore properly or new data hasn't been backed up yet).

It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".

Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.

Re:Why would my cursor run as root?

[spun]

Microsoft's advisory says that IE7 runs in protected mode in Vista, thus it is "protected from currently known web based attacks" and the exploit can only crash the browser not execute arbitrary code. It's in the "Mitigating Factors for Animated Cursor Vulnerability" section.

"In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user consent." -- From the Windows Vista: Features Explained site.

Unless of course the user has been driven insane by all the "Cancel or Allow?" questions and would readily click "Allow" even in a dialog box asking, "Your computer would like to strangle you with its power cord. Cancel or Allow?"

Re:Why would my cursor run as root?

[644bd346996]

Sure, but this is still a zero-day exploit for everybody who hasn't upgraded to Vista, and everybody who hasn't turned on IE7 Protected Mode. (The MS website seems to imply that IE7 Protected Mode is not the default). That leaves at least 95% of the installed base of desktops vulnerable.

Re:Why would my cursor run as root?

Who cares if it runs as root or not?

You're missing the point, so are many others. If it runs as root/admin it means it can easily makes itself completely invisible to the system. Fake infos given to an anti-virus, etc. Completely stealth. It also means it can spy you silently in the background. If an exploit is root, the only way to detect it is from another system. You simply can't trust your OS anymore, unless you reinstall everything from scratch. What makes you think a local exploit would detect your data or a root exploit would trash your whole OS? This is not what exploit do. Exploits nowadays are used to zombify machines (way more effective when the exploit is a root exploit) and to steal user data, to fake your identity. Also much more likely to succeed if the exploit is root (on some OSes, including some Windows version, you can't install a key-sniffer unless you're root).

What is worse to you: having all your data stolen/erased once or having all your passwords sniffed, everything you type spied for months and regularly sent to some bad guy and having all your personal data sent and then, at one point, deleted?

The level of short-sightedness of your comment is quite sad. Oh, and my data are backup up daily to a server running in a VM and weekly burned on DVD. If deleting your user dir is "digital death" for you, you'd better learn 101 about backups and also, probably, invest in some RAID setup (you do realize that, if a trojan destroying your data would be "digital death" [sic] to you, a nasty hard disk could "digitally kill you" right?)

And anyway, on most systems, once you've got a remote non root exploit it is usually easy to combine it with a local root exploit... So it is true that I don't care very much about wether the exploit is root or not: I'd consider a Unix with a seamingly non-root exploit exploited to have been completely rooted and so do I for Windows machine.

Re:Why would my cursor run as root?

[Afecks]

The MS website seems to imply that IE7 Protected Mode is not the default

It is on by default for all but the trusted zone.

That leaves at least 95% of the installed base of desktops vulnerable.

Or you know.. not..

There seems to be about 15% of us that are just so crazy we switched our browsers to Firefox or Opera... I would recommend it.

Re:Why would my cursor run as root?

[Locutus]

you this that's bad, there was another security flaw in the mouse code announced over 15 months ago( Jan 05 ). They patched that but never examined the code for other exploits. I mean really, if you've got SOOO much freaking legacy code, you'd atleast want to be refactoring what you have to touch because of bugs or, for example, security holes.

http://www.checkpoint.com/defense/advisories/publi c/2005/cpai-2005-06.html

But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.

Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.

LoB

Re:Why would my cursor run as root?

[Rutulian]

Well, as another poster already said, it would be best if untrusted applications (like web browsers) were run as a different user from your main account. The only way it could access your data would be to require a password for privilege escalation. Unfortunately I don't know of any OS that does this. SELinux is neat, but I'm not sure it can do this without being overly restrictive.

Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.

Re:Why would my cursor run as root?

[klubar]

FYI... protected mode is the default. You have to try pretty hard to disable it... Of course Adobe in their infinite wisdom requires you to turn off protected mode to be able to write PDF (using acrobat) from IE. More adobe's fault than anything else.

Re:Why would my cursor run as root?

[secPM_MS]

I will start this response with noting that I work a security team at MS that deals with OS security issues.

Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features. MS took an enormous step in security with their release of IE 7. This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.

In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.

Until a patch is released, turn off active cursors.

All features add attack surface. If you are more concerned about security, such as I am, you will disable features that are neat, but don't add much functionality. I suspect that most users like the neat eye candy.

As for me, I am running Vista on a notebook in power saving mode. I went into advanced settings and optimized for performance, thereby disabling aero / glass. I then went into the control panel and turned off sidebar. I run explorer in Windows classic mode. And yes, I routinely work in a command prompt.

I browse with IE in protected mode. I have gone into the advanced settings and turned off scripting, multi-media, explicitly disabled flash/shockwave, active code, etc. If web sites were understandable in plain text, I would turn of images as well. I would expect that most other browsers would be reasonably safe with such lockdowns -- but much of the web might as well not exist for such restricted browsers. Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.

Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without replacement and an Apple policy that required me to keep buying new OS releases at ~ $150 about every 2 years to keep my security updates, I came to truly appreciate the long term and transparent MS support.

Re:Why would my cursor run as root?

[shutdown+-p+now]

Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features.

Let's see.

• Internet Explorer 7
• Firefox 2.x
• Opera 9

Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?

MS took an enormous step in security with their release of IE 7

If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.

This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.

It already haven't been. The guys who found the exploit say that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.

In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.

It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.

Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?

Until a patch is released, turn off active cursors.

HOW? Because, you know, your very own security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!

Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.

Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.

Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without rep

Surprise, Windows Listed as Most Secure OS

[ballmerfud]

Surprise, Windows Listed as Most Secure OS ... just don't move the mouse.

Re: Surprise, Windows Listed as Most Secure OS

[CoolVibe]

Surprise, Windows Listed as Most Secure OS ... just don't move the mouse. and pull the network plug out while you are at it. More security :)

This old?

[LinuxGeek]

With exploits as old as this one, it makes me wonder just how many high level hackers/crackers have used this in silence over the years. It could pay very well to keep ploits such as this one silent for as long as possible.

Re:This old?

[truthsearch]

This is a perfect example of how using Microsoft's official list of exploits is a mostly meaningless metric to determine how secure the OS really is. It gives no indication of security holes being secretly exploited for years.

Re:This old?

[rbochan]

A decade ago it was screensavers... you've come a long way baby...

Re:This old?

[LilGuy]

If it were true that this was exploited for years, why would it come out now? Has something even better been found and thus this one can be trashed?

Re:This old?

[alexhs]

Also this is not the first flaw affecting animated cursors. I remember having read about that a few years ago. Googling "animated cursor flaw" gets me to 2004-12-29.
So, their problems with animated cursors are really old, back to the NT 4 era.

Re:This old?

[ergo98]

If it were true that this was exploited for years, why would it come out now?

Someone got too greedy? They targeted a rare individual that was more vigilant about their machine?

Re:This old?

[fuzz6y]

Because one of the "good guys" finally found it and reported it. The "bad guys" weren't ever going to squeal.

Oblig.

[zlogic]

In Soviet Russia, cursors pwn you!

The Solution is Amazing

[neoform]

>Solution: Do not browse untrusted sites or view untrusted e-mails.

Nice, so basically I'm not supposed to read any emails from people I don't know. Sounds like a viable solution.

Re:The Solution is Amazing

[penp]

If you read the link to Microsoft's advisory about the exploit, it sounds like you're not even supposed to trust email from people you do know.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources. On top of that, if you read further it starts to sound like a scheme they're using to try to sell more copies of Windows Vista.

Mitigating Factors for Animated Cursor Vulnerability

Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.

By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.
Who needs animated cursors, anyway?

Re:The Solution is Amazing

[ehaggis]

Don't use a cursor, just guess where your mouse is pointing.

Only affects rendering using the IE engine...

[bubbl07]

From a McAfee Avert Labs blog article:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

Moral of the story: don't use the IE rendering engine for cursors by avoiding using the IE web browser and by not using untrusted animated cursors in Windows.

Re:Only affects rendering using the IE engine...

[bubbl07]

My apologies, article here.

Why does it get to be this bad?

[140Mandak262Jamuna]

Well, one can understand programmers making stupid mistakes, and creating vulnerabilities. And everytime you add features, whether it is important or just bells and whistles, you always run the risk of opening up another vulnerabilities. Granting all that, why is it that, in 2007, after Vista, with "Security is Job 1 in MSFT", why does a vulnerability in a browser goes all the way up to executing arbitrary code? Browsers are expected to get data from untrustable sites, they should have heavy armour protection. Why the users are putting up with this nonsense?

Some stupid consumer protection council reports that some part of some toy can come apart and present a choking hazard to children. "As many as 3 children could have died over the last 10 years because of this!" Suddenly all news organizations act as though the sky has fallen, and on slow news day, it is even the lead story! Here we have a hazard that could get your machine rooted and pwned and steal your password and sell it in the organized crime networks, ... and the world reacts with a collective shrug.

Sorry, for the rant, I know I am preaching to the choir, just need to get it off my chest.

Re:Why does it get to be this bad?

[DoofusOfDeath]

No doubt you aren't a programmer, and wouldn't really grasp how complex a piece of software like a web browser really is,

Even if you're a programmer, you're still out of your league on this one. Only a plumber could understand the series of tubes that make up the Internet.

Re:Why does it get to be this bad?

[tijmentiming]

You missed the point. He only says it's weird that people shrug when software is insecure. It's a not a rant to microsoft, but to people who shrug.

What kind of mouthbreather would even...

[straponego]

...install an animated cursor in the first place? Okay, besides the CEO.

Re:What kind of mouthbreather would even...

[Torodung]

Actually, it's pretty useful for the "wait" cursors, because you can tell if the system has crashed or is stuttering badly. I use it for both the "Working in background" and "Busy" signs. If the hourglass stops moving, and sometimes it does, even if mouse control still works, you know you're waiting for nothing. It was more useful with Windows 95 and 98, but I still use it in XP.

(Actually, I use a set of modified Mac OS 8 icons, including black arrows and the classic "watch" icon, but I use hourglasses here because that's usually what folks use in Windows. There used to be an icon scheme called "animated hourglasses.")

--
Toro (breathing through my mouth)

Re:What kind of mouthbreather would even...

[Rob+T+Firefly]

I'll own up and admit to having used exclusively animated cursors in the past... but then again, I was a mouthbreathing teenager in the mid 1990s with my first Pentium. I also had Star Trek WAVs hooked to all my Windows events, ran After Dark's screensaver app at all times, used any excuse to look things up Compton's Interactive Encyclopedia CD-ROM, and obsessively hoarded Voyager publicity photos from Compuserve. A few blinky wiggly pointers shaped like phasers and lightsabers were the least of my crimes against good taste, but frankly, I would have totally deserved getting owned as a result.

Re:What kind of mouthbreather would even...

[gEvil+(beta)]

...install an animated cursor in the first place? Okay, besides the CEO.

My cursor is a big punching glove. It makes hitting that damn monkey that much easier...

Re:What kind of mouthbreather would even...

[illegalcortex]

What kind of mouthbreather would even install an animated cursor in the first place?

I'm not sure that's really the problem. Wouldn't either of those articles have listed it as a workaround if so? I think this is the actual problem:

With Microsoft Internet Explorer 6 or 7 you can use your own animated or static cursor on your webpage instead of the standard system cursor. All you have to do is add a little code to your HTML-documents or the CSS-stylesheet and upload the cursor file (*.ani or *.cur) to the webserver.

http://www.anicursor.com/webcursor.html

I don't know that there is any way to turn that off in IE or Outlook using IE's rendering.

What's to investigate?

[roman_mir]

Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. - <sarcasm>well, we all know not to open specially crafted e-mail messages and attachments.</sarcasm>

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. - I can give an advice even without an expensive investigation. Do not use MS IE, do not use MS Outlook, do not allow animated anything on your desktop and probably the best thing to do is to finally just plain not to use MS, but in many cases it is not an option.

Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed. Turn off all animations, turn off 'show content while dragging window' option, switch to 'classic' look for the look of the Explorer, make sure that there are no thumbnails, switch to 'details' in the Explorer, make sure to show extensions on all files, make sure to apply to all folders and turn of 'Remember each folder settings' option.

I am not certain that this will prevent this particular problem, but not using IE and Outlook most likely would (while using other email clients do not allow active content to execute and do not trust attachments ever.) It's a real pain, it would be much better to run MS Windows in a virtual machine on GNU/Linux (VMWare I suppose.)

Re:What's to investigate?

[rbochan]

...Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed...

That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X.
You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.

Re:What's to investigate?

[illegalcortex]

do not allow animated anything on your desktop

I'm not sure that's really the solution. Wouldn't either of those articles have listed it as a workaround if so? I think this is the actual problem:

With Microsoft Internet Explorer 6 or 7 you can use your own animated or static cursor on your webpage instead of the standard system cursor. All you have to do is add a little code to your HTML-documents or the CSS-stylesheet and upload the cursor file (*.ani or *.cur) to the webserver.

http://www.anicursor.com/webcursor.htm l

I don't know that there is any way to turn that off in IE or Outlook using IE's rendering.

Re:What's to investigate?

[Trailer+Trash]

Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed

We're two days away from April 1st, let us enjoy these days while we can...

Criminals using this vulnerability ?

[Rastignac]

Our security expert, Jackson M., just tolds us:
" So, ANI are you ok ? Are you ok ANI ?
    You've been hit by... you've been hit by... a smooth criminal ! "

A workaround for this...

A workaround for this is to install some quality cursors.
I use the comet cursor package that installed itself automatically when I browsed the web.
It has some great cursors and loads of other features that make using Windows far more entertaining.

I have not been able to remove or alter the comet cursor package since it installed itself, so I think it will protect very well against other cursors getting installed on my computer.

Re:goddam hackers

[jellomizer]

I guess you are not a student of Computer Science.
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.

The concept is simple actual practice is hard.

A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.

I can hear Ballmer screaming...

[xactuary]

Cursors? Foiled again!

Re:I can hear Ballmer screaming...

[erroneus]

Damn you! I have been waiting YEARS to do that one!!

Damn you! Damn you all to hell!!

Solution: "You are trying to move the mouse..."

[Cancel] or [Allow]?

Caution

[Alioth]

If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:

http://www.secureworks.com/research/threats/gozi/ ...which has a similar infection vector (by merely visiting a web page you get infected), and went undetected for 54 days.

This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.

Re:Vista Security.

[rajafarian]

I though Vista was supposed to be the most secure OS ever.

Nope. I watched their lips and every time they said, "Vista will be the most secure Microsoft operating system ever."

I think this was carefully worded by them so they could say it with an honest face.

Correction

[towsonu2003]

In Soviet Russia, cursors pwn you!

Correction: In Soviet Russia, you pwn cursors! So you might want to live in Soviet Russia... Sorry.

Re:goddam hackers

[Just+Some+Guy]

Guess you are STILL a Computer Scientist student. If you are doing something that has no impact on security (this is image processing dammit) the value of your software is in what it does, not in how it resists to every possible abuse.

I was going to try to be calm and rational about this, but screw it.

It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).

You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.

Seriously. Quit before you break something.

Pfff. Locked in a vault?

[spun]

The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.

IE loads animated cursors via CSS

[illegalcortex]

For those people saying "turn off animated cursors" and such, I don't think that's a solution. IE allows a webpage (or email if you're using the IE rendering engine in Outlook) to replace your cursor using some IE-specific CSS code. It's as easy as changing the background for a webpage. Examples:

body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">

You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified .ANI file which exploits the hole in IE.

I am almost positive there is no way to disable this in IE.

Re:IE loads animated cursors via CSS

[illegalcortex]

You could probably block the easier ones, yes. But first off, I'm not sure the file has to be named with a .ANI extension. Second, it's probably you could do the CSS via javascript rather than have it hardcoded like in my examples. Doing these two things would make scrubbing via a proxy much more difficult.

Re:IE loads animated cursors via CSS

[lostboy2]

SANS says they've received reports of the "vulnerability being exploited in the wild using files renamed to jpeg". So, yeah, I think you're right (proxy won't help, unless you're going to block jpegs too).

Un-fragging-believable!

[mmell]

Y'know, if you'd told me that M$ rolled out their new WindowsFS and it had a vulnerability or two, I'd be amused. Not surprised, not shocked, amused. New and exciting technologies rarely work correctly the first time they're tried.

If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.

If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.

The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?

I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .

IE protected mode

That's not quite true. The vulnerability does allow execution of arbitrary code, however protected mode IE limits the scope of what the running code can do. With protected mode IE, IE (and any processes spawned by IE) cannot write data to arbitrary locations, cannot send window messages to arbitrary windows on the user's desktop and cannot take advantage of most of the abilities that most users have. This applies even if the user is an administrator.

Protected mode IE *does* have the ability to read anything that the user would regularly have access to, and through a helper application (ieuser.exe) is able to ask the user to download files or change IE settings. And anything else the user does in that particular IE process can be read or altered.

So with protected mode IE the vulnerability does allow the execution of arbitrary code and it can steal your data files, but it can't write to your regular files or system files.

Re:IE protected mode

[shutdown+-p+now]

It could also turn your IE into a spambot. Now, sure, it will only last for as long as that copy of IE is running, but some creative modification of IE cache (to which it also obviously has access) to insert the required code into a few most visited .html files - say, the user's home page - should make sure that every time IE is started, the exploit gets applied again.

Good heavens...

[Petersko]

trused? compromise? Mornigs suk as.

Ah yes

[loconet]

Although I use Linux exclusively at home/work, here I am, silly fool, giving the benefit of the doubt to Vista and its "enhanced security". I've always been aware IE's ability to create holes in the most unrelated portions of the OS (cursor, help pages, etc) and yet, I thought that Vista, maybe, just maybe actually was worth its 5+years of development and it was not all spent in DRM crap. How foolish of me. Here is yet again another seemingly unrelated functionality affected by the disaster that is IE. I will not be surprised if tomorrow IE can make your desk lamp vulnerable.

Re:goddam hackers

[david_g17]

You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).

~David_g17 sharpens his spork...~

Re:Hardly!

[lostboy2]

What if the protective equipment is compromise, and the battlemechs dig the computer up using the mines and the lasers, and then install a Sony rootkit on it?

True, because, as we all know, battlemechs love Celine Dion.

Don't worry !

[udippel]

The Microsoft Advisory - whom we all trust - shows that the fuzz here in /. is unnecessary.
RTMF (Read The Mitigating Factors) !:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

See, much ado about nothing !:
  - the attacker would have to host a web site [surely, they couldn't, could they !]
  - the attacker could compromise a web site [probably they would not know how to, would they !]
  - the attacker has no way to force the user to visit a specific website [see !]
Especially the latter gave me complete relief and peace of mind ! I can't be forced, that means I am as good as safe ! Yahoo !
  - the attacker would need to persuade us [just told my wife not to answer the phone or door bell]

Not running my web browser as administrator [I don't] seriously limits the potential damage, thanks to Vista's unique feature of unprivileged user accounts.

Thanks, Microsoft, for an informative advisory; and a comprehensive and clear list of mitigating factors !
Thanks, Microsoft, for debunking so-called "extremely critical" vulnerabilities as myth, again !

Boy...

[Zebra_X]

Sure am glad I just upgraded to Vista and Office 2007:

Mitigating Factors for Animated Cursor Vulnerability

  Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.

  By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.

I think the important thing here to note is that MS is actually delivering on it's promise to deliver a more secure OS and set of applications for users.

"zero day"

[I'm+Don+Giovanni]

"Sure, but this is still a zero-day exploit for everybody who hasn't upgraded to Vista, and everybody who hasn't turned on IE7 Protected Mode. (The MS website seems to imply that IE7 Protected Mode is not the default). That leaves at least 95% of the installed base of desktops vulnerable."

"Zero day"? Did you say, "ZERO DAY"??? OMG!!! It's ARMAGEDDON!!

Sorry, "zero day", while it has meaning, is mainly used for sensationalism. PANIC!!

BTW, on Vista, IE7 does run in protected mode by default.

Re:That's a relief

[devilspgd]

Files can be restored easily -- Right click, choose "Previous versions" and go nuts. Harrah for shadow copies.