Windows Vulnerability in Animated Cursor Handling

MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."

Why would my cursor run as root?

[Dr.+Zowie]

Huh? This boggles the imagination. I would have thought they'd have learned about security rings while rebuilding their entire OS from the ground up (as Longhorn was reputed to do).

Re:Why would my cursor run as root?

[644bd346996]

What part of "Successful exploitation allows execution of arbitrary code." do you not understand? This is a hole that lets crackers do a lot more than crash your computer.

Re:Why would my cursor run as root?

What part of "Successful exploitation allows execution of arbitrary code." do you not understand?

Successful.

Re:Why would my cursor run as root?

[FreshMeat-BWG]

Who cares if it runs as root or not? It really doesn't make too much of a difference except on a multi-user system. I don't care about my OS installation--that is easy to do again. What I do care about is my data. Deleting or corrupting files in my user profile directory (C:\Documents and Settings\user\* or /home/user/* -- take your pick) is digital death for me (assuming a backup will not restore properly or new data hasn't been backed up yet).

It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".

Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.

Re:Why would my cursor run as root?

[spun]

Microsoft's advisory says that IE7 runs in protected mode in Vista, thus it is "protected from currently known web based attacks" and the exploit can only crash the browser not execute arbitrary code. It's in the "Mitigating Factors for Animated Cursor Vulnerability" section.

"In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user consent." -- From the Windows Vista: Features Explained site.

Unless of course the user has been driven insane by all the "Cancel or Allow?" questions and would readily click "Allow" even in a dialog box asking, "Your computer would like to strangle you with its power cord. Cancel or Allow?"

Re:Why would my cursor run as root?

[644bd346996]

Sure, but this is still a zero-day exploit for everybody who hasn't upgraded to Vista, and everybody who hasn't turned on IE7 Protected Mode. (The MS website seems to imply that IE7 Protected Mode is not the default). That leaves at least 95% of the installed base of desktops vulnerable.

Re:Why would my cursor run as root?

[Locutus]

you this that's bad, there was another security flaw in the mouse code announced over 15 months ago( Jan 05 ). They patched that but never examined the code for other exploits. I mean really, if you've got SOOO much freaking legacy code, you'd atleast want to be refactoring what you have to touch because of bugs or, for example, security holes.

http://www.checkpoint.com/defense/advisories/publi c/2005/cpai-2005-06.html

But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.

Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.

LoB

Re:Why would my cursor run as root?

[Rutulian]

Well, as another poster already said, it would be best if untrusted applications (like web browsers) were run as a different user from your main account. The only way it could access your data would be to require a password for privilege escalation. Unfortunately I don't know of any OS that does this. SELinux is neat, but I'm not sure it can do this without being overly restrictive.

Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.

Surprise, Windows Listed as Most Secure OS

[ballmerfud]

Surprise, Windows Listed as Most Secure OS ... just don't move the mouse.

Re: Surprise, Windows Listed as Most Secure OS

[CoolVibe]

Surprise, Windows Listed as Most Secure OS ... just don't move the mouse. and pull the network plug out while you are at it. More security :)

This old?

[LinuxGeek]

With exploits as old as this one, it makes me wonder just how many high level hackers/crackers have used this in silence over the years. It could pay very well to keep ploits such as this one silent for as long as possible.

Re:This old?

[truthsearch]

This is a perfect example of how using Microsoft's official list of exploits is a mostly meaningless metric to determine how secure the OS really is. It gives no indication of security holes being secretly exploited for years.

Re:This old?

[LilGuy]

If it were true that this was exploited for years, why would it come out now? Has something even better been found and thus this one can be trashed?

The Solution is Amazing

[neoform]

>Solution: Do not browse untrusted sites or view untrusted e-mails.

Nice, so basically I'm not supposed to read any emails from people I don't know. Sounds like a viable solution.

Re:The Solution is Amazing

[ehaggis]

Don't use a cursor, just guess where your mouse is pointing.

Only affects rendering using the IE engine...

[bubbl07]

From a McAfee Avert Labs blog article:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

Moral of the story: don't use the IE rendering engine for cursors by avoiding using the IE web browser and by not using untrusted animated cursors in Windows.

What kind of mouthbreather would even...

[straponego]

...install an animated cursor in the first place? Okay, besides the CEO.

Criminals using this vulnerability ?

[Rastignac]

Our security expert, Jackson M., just tolds us:
" So, ANI are you ok ? Are you ok ANI ?
    You've been hit by... you've been hit by... a smooth criminal ! "

A workaround for this...

A workaround for this is to install some quality cursors.
I use the comet cursor package that installed itself automatically when I browsed the web.
It has some great cursors and loads of other features that make using Windows far more entertaining.

I have not been able to remove or alter the comet cursor package since it installed itself, so I think it will protect very well against other cursors getting installed on my computer.

Re:goddam hackers

[jellomizer]

I guess you are not a student of Computer Science.
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.

The concept is simple actual practice is hard.

A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.

Re:What's to investigate?

[rbochan]

...Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed...

That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X.
You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.

I can hear Ballmer screaming...

[xactuary]

Cursors? Foiled again!

Re:Why does it get to be this bad?

[DoofusOfDeath]

No doubt you aren't a programmer, and wouldn't really grasp how complex a piece of software like a web browser really is,

Even if you're a programmer, you're still out of your league on this one. Only a plumber could understand the series of tubes that make up the Internet.

Solution: "You are trying to move the mouse..."

[Cancel] or [Allow]?

Caution

[Alioth]

If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:

http://www.secureworks.com/research/threats/gozi/ ...which has a similar infection vector (by merely visiting a web page you get infected), and went undetected for 54 days.

This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.

Re:Vista Security.

[rajafarian]

I though Vista was supposed to be the most secure OS ever.

Nope. I watched their lips and every time they said, "Vista will be the most secure Microsoft operating system ever."

I think this was carefully worded by them so they could say it with an honest face.

Re:goddam hackers

[Just+Some+Guy]

Guess you are STILL a Computer Scientist student. If you are doing something that has no impact on security (this is image processing dammit) the value of your software is in what it does, not in how it resists to every possible abuse.

I was going to try to be calm and rational about this, but screw it.

It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).

You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.

Seriously. Quit before you break something.

Re:First Pwndst

It was. The vulnerability still affects Vista, but due to the different security subsystem the exploit can't really do anything. It sits stuck in a "protected mode" IE7 instance which can't do anything, not even fuck with the current user's profile. The exploit is effectively contained at that point.

Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.

You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.

Pfff. Locked in a vault?

[spun]

The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.

IE loads animated cursors via CSS

[illegalcortex]

For those people saying "turn off animated cursors" and such, I don't think that's a solution. IE allows a webpage (or email if you're using the IE rendering engine in Outlook) to replace your cursor using some IE-specific CSS code. It's as easy as changing the background for a webpage. Examples:

body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">

You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified .ANI file which exploits the hole in IE.

I am almost positive there is no way to disable this in IE.

Re:IE loads animated cursors via CSS

[lostboy2]

SANS says they've received reports of the "vulnerability being exploited in the wild using files renamed to jpeg". So, yeah, I think you're right (proxy won't help, unless you're going to block jpegs too).

Un-fragging-believable!

[mmell]

Y'know, if you'd told me that M$ rolled out their new WindowsFS and it had a vulnerability or two, I'd be amused. Not surprised, not shocked, amused. New and exciting technologies rarely work correctly the first time they're tried.

If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.

If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.

The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?

I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .

Re:goddam hackers

[david_g17]

You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).

~David_g17 sharpens his spork...~

Re:First Pwndst

[Frizzle+Fry]

IE is safe in Vista because it runs in a super locked-down "protected mode". Windows Mail (aka Outlook Express) doesn't, so it makes sense that IE7 in Vista is immune to this but Mail isn't.

Re:First Pwndst

[Bungie]

The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.