Slashdot Mirror
Windows Vulnerability in Animated Cursor Handling
MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."
Huh? This boggles the imagination. I would have thought they'd have learned about security rings while rebuilding their entire OS from the ground up (as Longhorn was reputed to do).
Surprise, Windows Listed as Most Secure OS ... just don't move the mouse.
http://uncyclopedia.org/wiki/User:Steve_Ballmer
With exploits as old as this one, it makes me wonder just how many high level hackers/crackers have used this in silence over the years. It could pay very well to keep ploits such as this one silent for as long as possible.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
In Soviet Russia, cursors pwn you!
>Solution: Do not browse untrusted sites or view untrusted e-mails.
Nice, so basically I'm not supposed to read any emails from people I don't know. Sounds like a viable solution.
MABASPLOOM!
Some stupid consumer protection council reports that some part of some toy can come apart and present a choking hazard to children. "As many as 3 children could have died over the last 10 years because of this!" Suddenly all news organizations act as though the sky has fallen, and on slow news day, it is even the lead story! Here we have a hazard that could get your machine rooted and pwned and steal your password and sell it in the organized crime networks, ... and the world reacts with a collective shrug.
Sorry, for the rant, I know I am preaching to the choir, just need to get it off my chest.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
...install an animated cursor in the first place? Okay, besides the CEO.
Our security expert, Jackson M., just tolds us:
" So, ANI are you ok ? Are you ok ANI ?
You've been hit by... you've been hit by... a smooth criminal ! "
-- Rastignac was here.
A workaround for this is to install some quality cursors.
I use the comet cursor package that installed itself automatically when I browsed the web.
It has some great cursors and loads of other features that make using Windows far more entertaining.
I have not been able to remove or alter the comet cursor package since it installed itself, so I think it will protect very well against other cursors getting installed on my computer.
I guess you are not a student of Computer Science.
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.
The concept is simple actual practice is hard.
A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X.
You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Say hello to my little sig.
[Cancel] or [Allow]?
If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:
...which has a similar infection vector (by merely visiting a web page you get infected), and went undetected for 54 days.
http://www.secureworks.com/research/threats/gozi/
This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.
Oolite: Elite-like game. For Mac, Linux and Windows
I though Vista was supposed to be the most secure OS ever.
Nope. I watched their lips and every time they said, "Vista will be the most secure Microsoft operating system ever."
I think this was carefully worded by them so they could say it with an honest face.
I was going to try to be calm and rational about this, but screw it.
It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).
You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.
Seriously. Quit before you break something.
Dewey, what part of this looks like authorities should be involved?
It was. The vulnerability still affects Vista, but due to the different security subsystem the exploit can't really do anything. It sits stuck in a "protected mode" IE7 instance which can't do anything, not even fuck with the current user's profile. The exploit is effectively contained at that point.
Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.
You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.
The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
For those people saying "turn off animated cursors" and such, I don't think that's a solution. IE allows a webpage (or email if you're using the IE rendering engine in Outlook) to replace your cursor using some IE-specific CSS code. It's as easy as changing the background for a webpage. Examples:
.ANI file which exploits the hole in IE.
body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">
You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified
I am almost positive there is no way to disable this in IE.
If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.
If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.
The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?
I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .
trused? compromise? Mornigs suk as.
The Microsoft Advisory - whom we all trust - shows that the fuzz here in /. is unnecessary.
RTMF (Read The Mitigating Factors) !:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
See, much ado about nothing !:
- the attacker would have to host a web site [surely, they couldn't, could they !]
- the attacker could compromise a web site [probably they would not know how to, would they !]
- the attacker has no way to force the user to visit a specific website [see !]
Especially the latter gave me complete relief and peace of mind ! I can't be forced, that means I am as good as safe ! Yahoo !
- the attacker would need to persuade us [just told my wife not to answer the phone or door bell]
Not running my web browser as administrator [I don't] seriously limits the potential damage, thanks to Vista's unique feature of unprivileged user accounts.
Thanks, Microsoft, for an informative advisory; and a comprehensive and clear list of mitigating factors !
Thanks, Microsoft, for debunking so-called "extremely critical" vulnerabilities as myth, again !
Sure am glad I just upgraded to Vista and Office 2007:
Mitigating Factors for Animated Cursor Vulnerability
Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.
By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.
I think the important thing here to note is that MS is actually delivering on it's promise to deliver a more secure OS and set of applications for users.
IE is safe in Vista because it runs in a super locked-down "protected mode". Windows Mail (aka Outlook Express) doesn't, so it makes sense that IE7 in Vista is immune to this but Mail isn't.
I'd rather be lucky than good.
It could also turn your IE into a spambot. Now, sure, it will only last for as long as that copy of IE is running, but some creative modification of IE cache (to which it also obviously has access) to insert the required code into a few most visited .html files - say, the user's home page - should make sure that every time IE is started, the exploit gets applied again.
The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.
The clash of honour calls, to stand when others fall.