Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Vulnerability in Animated Cursor Handling

Posted by Zonk on from the mind-those-hilarious-icons dept.

MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."

15 of 338 comments (clear)

  1. Why would my cursor run as root? by Dr.+Zowie · · Score: 5, Insightful

    Huh? This boggles the imagination. I would have thought they'd have learned about security rings while rebuilding their entire OS from the ground up (as Longhorn was reputed to do).

    1. Re:Why would my cursor run as root? by Anonymous Coward · · Score: 5, Funny

      What part of "Successful exploitation allows execution of arbitrary code." do you not understand?

      Successful.

    2. Re:Why would my cursor run as root? by spun · · Score: 5, Funny

      Microsoft's advisory says that IE7 runs in protected mode in Vista, thus it is "protected from currently known web based attacks" and the exploit can only crash the browser not execute arbitrary code. It's in the "Mitigating Factors for Animated Cursor Vulnerability" section.

      "In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user consent." -- From the Windows Vista: Features Explained site.

      Unless of course the user has been driven insane by all the "Cancel or Allow?" questions and would readily click "Allow" even in a dialog box asking, "Your computer would like to strangle you with its power cord. Cancel or Allow?"

      --
      - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  2. Surprise, Windows Listed as Most Secure OS by ballmerfud · · Score: 5, Funny

    Surprise, Windows Listed as Most Secure OS ... just don't move the mouse.

    --
    http://uncyclopedia.org/wiki/User:Steve_Ballmer
  3. Only affects rendering using the IE engine... by bubbl07 · · Score: 5, Interesting
    From a McAfee Avert Labs blog article:

    Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.
    Moral of the story: don't use the IE rendering engine for cursors by avoiding using the IE web browser and by not using untrusted animated cursors in Windows.
  4. Criminals using this vulnerability ? by Rastignac · · Score: 5, Funny

    Our security expert, Jackson M., just tolds us:
    " So, ANI are you ok ? Are you ok ANI ?
        You've been hit by... you've been hit by... a smooth criminal ! "

    --
    -- Rastignac was here.
  5. A workaround for this... by Anonymous Coward · · Score: 5, Funny

    A workaround for this is to install some quality cursors.
    I use the comet cursor package that installed itself automatically when I browsed the web.
    It has some great cursors and loads of other features that make using Windows far more entertaining.

    I have not been able to remove or alter the comet cursor package since it installed itself, so I think it will protect very well against other cursors getting installed on my computer.

  6. I can hear Ballmer screaming... by xactuary · · Score: 5, Funny
    Cursors? Foiled again!

    --
    Say hello to my little sig.
  7. Solution: "You are trying to move the mouse..." by Anonymous Coward · · Score: 5, Funny

    [Cancel] or [Allow]?

  8. Re:The Solution is Amazing by ehaggis · · Score: 5, Funny

    Don't use a cursor, just guess where your mouse is pointing.

    --
    One ring to bind them - should probably have more fiber and less rings in their diet.
  9. Caution by Alioth · · Score: 5, Informative

    If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:

    http://www.secureworks.com/research/threats/gozi/ ...which has a similar infection vector (by merely visiting a web page you get infected), and went undetected for 54 days.

    This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
  10. Re:First Pwndst by Anonymous Coward · · Score: 5, Interesting

    It was. The vulnerability still affects Vista, but due to the different security subsystem the exploit can't really do anything. It sits stuck in a "protected mode" IE7 instance which can't do anything, not even fuck with the current user's profile. The exploit is effectively contained at that point.

    Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.

    You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.

  11. Pfff. Locked in a vault? by spun · · Score: 5, Funny

    The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  12. IE loads animated cursors via CSS by illegalcortex · · Score: 5, Informative

    For those people saying "turn off animated cursors" and such, I don't think that's a solution. IE allows a webpage (or email if you're using the IE rendering engine in Outlook) to replace your cursor using some IE-specific CSS code. It's as easy as changing the background for a webpage. Examples:

    body {cursor: url('cursor.ani');}
    <BODY style="CURSOR: url('cursor.ani')">
    <BODY style="CURSOR: url('http://www.example.com/cursor.ani')">

    You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified .ANI file which exploits the hole in IE.

    I am almost positive there is no way to disable this in IE.

  13. Un-fragging-believable! by mmell · · Score: 5, Insightful
    Y'know, if you'd told me that M$ rolled out their new WindowsFS and it had a vulnerability or two, I'd be amused. Not surprised, not shocked, amused. New and exciting technologies rarely work correctly the first time they're tried.

    If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.

    If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.

    The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?

    I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .