Slashdot Mirror
MS Plans Emergency Update to Fix .ANI Bug
A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."
that ANI will be ok.
Wouldn't setting your own .css file in IE's accessibility options work for this. Just set the .ani to something safe and that should override any website's settings.
Pubcrawler.ca
.
I'd comment if I could hit the "submit" button with this darned cursor....
Well, my days of not taking you seriously are certainly coming to a middle. -Firefly
Doesn't this just make Patch Tuesday more and more irrelevant- that's at least twice (in my memory) that they have had to release a patch "out-of-cycle". I don't give a monkey about cycles, I just want security patches deployed when they have been tested and are available! Big corporates should be using WSUS to manage patching so there's really no excuse for it catch people off guard in the business world, and I'm sure that most consumers think the same as me- fix my computer, and fix it now!
The only thing that saves us from the bureaucracy is its inefficiency (Eugene McCarthy)
often this happens because some person released a working example
:-(
for windows XP or what not. then a loser or three use this code
to arm their worms. remember, the worm is written many times over,
they just wait for 0day. they do not code anything, but cut and
paste.
who and where is the code? lets thank them for their hard work
I seriously thought that this animated cursor vulnerability was an April 1st joke. Lesson learned: with m$, the most unreal jokes become reality...
... Just release patches when they are ready as opposed to releasing them in groups on "patch Tuesday" as there seem to be an increasing number of zero-day exploits out in the wild. Consider that it took M$ forever to close the zero-day exploits in Office even though there were exploits in the wild and they even warned users about them which IIRC was a highly unusual step for them.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
look at the cute little fat blue dinosaur wobble!
R GESUMINLAGOSNIGERIA...
oh! what gorgeous red prancing pony!
oooh! a spinning coin, it's magic!
ha! i like how the fingers tap as they wait, it makes me smile
wait, what's this?
V1AGRATEENORGYLOANPREAPPROVEDC1A1SDEARSIRIHAVEALA
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
the "most secure" OS more than once a month?
Press ANI key to continue...
It's a buffer overflow that allows you to execute arbitrary code. Much like the WMF exploit a year ago. But more serious. I have a sample here that opens a program just by browsing (with the explorer) into the directory that contains it.
Nasty sh.t. Even downloading and wanting to dissect it with some disassembler is already enough to set it off, the moment you use the open dialog of your dis.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old.
I never did trust that animated peace sign.
Libertarian Leaning Political Discussion Forum.
To Windows Update, same as every day!
stuff |
...because they're not staring at the blinky cursors, but at the blinky lights on the switches.
Like, for instance that switch over th...Oooohhh, blinky lights. Pretty.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."
/.
The Reg clearly structured this sentence knowing it would make front page on
It should be noted that while both IE 6 and IE 7 are vulnerable in Windows XP, the damage in IE 7 in Vista is quite limited in its default "protected" mode.
Well, I've had the chance to test it now. Internet Explorer (well, version 6, at least) in fact does download the ANI file anyway even when it's been overridden. I'm guessing it in fact downloads all related CSS resources even if they're never used.
Unfortunately I can't test if IE is actually vulnerable with the stylesheet in place because I'm behind a firewall that prevents me from getting any of the proof-of-concept files. So if someone else wants to test it, let me know.
You are in a maze of twisty little relative jumps, all alike.
Give us the patch already... I mean hell... they are telling us when it will be released... which means they have written it an tested it to some degree already.
They are probably using this few days to figure out how they can spin the whole issue to make them look good!
I don't know why I even care... this bug doesn't effect me in the least.
Sometimes the best solution is to stop wasting time looking for an easy solution.
That publishing security vulnerabilities on the public internet will get the issue resolved faster than simply privately notifying the company responsible for making the fix.
"You had this look that of an angel, it was such a bad disguise" --Dishwalla
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old. Dear Customer,
Unfortunately a hoard of deranged Mac users has invaded the Microsoft Development Center. They seized the security gnome's cave and their slashdot troll is currently blocking the entrance. Unfortunately, at the time this happened, we had just successfully repelled a massive frontal assault on our development center by a hoard of torch and pitchfork wielding penguins and as a result we were to low on throwing chairs to repel the second assault. We are sorry if this causes you any inconvenience but until the next consignment of hand made throwing chairs arrives from Italy allowing Mr Ballmer to lead us in a fresh asssault to retake the security gnome's cave we will be unable to help you with your problem. Please accept this conciliatory bucket of Microsoft® Fried Penguin drumsticks and a bottle of Microsoft Windows Vista® Kool-Aid free of charge as compensation for any inconvenience this may have caused you.
Regards
The Microsoft Support Team.
Only to idiots, are orders laws.
-- Henning von Tresckow
If this was just a WinXP (or earlier) exploit, MS would have waited another week for additional "encouragement" of people to upgrade to the more-secure and unaffected OS - Vista. But since that's not the case, the fallback is to have them patch it before someone starts calling Vista as insecure as previous OS versions.
So I wonder if this[0] was just a run-of-the-mill dare where nobody really cares if you do it or not, or a double-dog dare, or the greatly feared TRIPLE-dog dare? Especially since "We made it way harder for guys to do exploits" [1]
9 854
[0] - http://blogs.zdnet.com/Apple/?p=422
[1] - http://www.toptechnews.com/story.xhtml?story_id=4
boycott slashdot February 10th - 17th check out: altSlashdot.org
It's not just animated cursors, it's EVERYTHING that calls LoadAniIcon See here for details (don't worry, not enough details to reproduce it easily, just a pretty neat explanation what's cooking).
What sends shivers up my spine is that I have a jpeg here that seems to work the same way. Now, how likely is it that a jpeg gets loaded in IE? I have that gut feeling that the WMF trojan storm of last year was a gentle breeze compared to this.
I have a hunch that this could maybe be the reason why MS is in such a hurry to fix this. And, while I rarely agree with them, I consider this extremely urgent as well. But only because I know now stronger word than urgent.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
MS plans emergency update to fix blinking cursor bug.
Now all they need to do is fix the blinking Active X bugs, the blinking default open ports, the blinking UAC, and all the other blinking problems.
Pardon my language...
Blank until
I have the source for it here in front of me. It's far from trivial (buffer overflows rarely are). A good working understanding of assembler is the bare basics to start understanding what's going on. At the very least you'll need someone who can stuff your worm code into it (even further away from trivial).
This ain't some VB code that you copy, paste and alter. We're talking hand crafted assembler injection code here which does differ a lot from application to application. Just because you have a sample that opens some harmless file like edit doesn't mean it's a trivial matter to reshape it into something that starts downloading a worm from the 'net.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Since you're not "downloading" the cursor and executing it, but the cursor itself is a malformed file that manipulates the executable that runs "around" it (i.e. the IE7), there is no sandbox around you. The IE7 gets attacked and its flow of operation redirected (well, not really, actually it's a function of a DLL the IE uses, but that's what basically happens).
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I wonder, would Bill Gates and Steve Ballmer taken together be two anii?
Beware: In C++, your friends can see your privates!
I am playing it safe leaving my windows system off for a bunch of days.. .. Its no big deal I don't use the windows computer much anyway.. beyond the odd company application that was written in dot net crap.. Good thing most companies are seeing that they need to be muilti OS supported to survive today!
I will update everything for a few hours like I feel I do every day.. then scan everything.. then just go back over to the othere computer to do some work.. it sure is alot of work owning a expensive Microsoft operating system.. !
Debian Linux Etch thank you for being a solid OS
"The more you try to overtake the plumbing, the easier it is to clog up the drain."
Microsoft please take note.
Once I was a four stone apology. Now I am two separate gorillas.
You did read how they caught this one, didn't you? It was already being exploited in the wild! As I understand it, people at Symantec who monitor IRC channels devoted to this kind of stuff heard about people planning to exploit it to grab game passwords.
It is typical M$ bullshit that the exploits only occur when descriptions are released. Most of them are caught in the wild after who knows how many people have already been compromised.
my friend,
buffer overflows do indeed look complex but the crafting of
an exploit with shellcode is cookie cutter now days.
if your shellcode has to be special for some reason, perhaps
size is critical, sure you write your own. but otherwise we
reuse shellcode many times as is found on the net or with
small adjustments thrown in by the author of various exploits.
the real art of the exploit is getting your shellcode, which is
in the data you control, executed. my my, what a rush to have
that happen for a exploit developer after so much hard work.
all the rest is downhill. people use that robust example to
add into their packages (worm, exploit scanner, etc..)
like i say, very few people write their own exploits and
even fewer write their own shellcode. but with proper research
what is complex can be made less so with understanding.
Dear Customer,
How dare you bitch? We invented the PC! We invented the Internet! And we damned well know more than you about how you want to use your computer! Now, if you had just purchased Vista, the most secure OS in the world, when it became available... oh no, wait!
Never mind.
Your benevolent Micro$oft overlord
I haven't seen an ANSI bug since my days as a BBS sysop years ago.
Well, it's called ".ANI" for a reason; the singular is ".ANUS". It's not surprising people are using that to screw you, but plugging that security hole is generally not the answer.
Is this the WOW that M$ is peddling?
Rumor has it ANI was struck by some smooth criminals, who came in through Windows... or something like that.
BitDefender's description of their detection of this virus:
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
You are probably confusing video drivers that were moved to the kernel level for game performance in NT4, Win2k and WinXP, but have been moved back to User space in Vista due to a new way to harness the same level of kernel level driver performance without pushing the drivers into the kernel. (Which is actually quite clever technology if anyone is a OS Kernel nerd.)
I actually thought NT 3.51 was an exceedingly elegant system - it booted to a DOS-ish shell, you had to type "WIN" [for win.exe] if you wanted to load the windows graphics subsystem, and the entire "environment" was pure client[user space]/server[kernel space], with the graphics "client" living entirely in user space.
Then, as you indicate, with NT 4.0, the video drivers were brought into the kernel space, and, la voila, we were introduced to the infamous Blue Screen of Death.
So what is this "quite clever technology" that allows Vista to return to the older model?
Thanks for the spoiler!
Ahh... an anti-Windows zealot shows his true colors... "She now knows what a BSOD is - although I'm saddened to report that it is likely some annoying little hardware problem rather than being a Windows issue per se.". So then, you'd be HAPPY if Windows BSOD'ed for no reason, just so you could jump up and down and point and scream, "SEE??!?!! WINDOWS IS EEEEVIL!!" C'mon. Grow up. If you're married, then you've gotta be at least 16-ish. Instead, you're acting like a 12 year old.
I don't respond to AC's.
Um... NT 3.1, 3.5, and 3.51 all booted to the Win32 subsystem GUI. You are somehow confusing Win 3.1 or something here. NT has always used Win32 as its primary subsystem, and been graphical.
No, dude, you could boot NT 3.51 without graphics.
Just like with Windows 3.11 running on top of DOS, with NT 3.51 you could type "WIN" at a shell prompt and start the windows system.
It was absolutely teh r0x0r - possibly the coolest product Microsoft ever released.
Want to patch one day per month? Fine. How about one day per year? It's your choice.
Some would rather not delay. They're not getting THEIR choice.
Remember, if Microsoft releases a patch every 30 minutes, you can still choose one day per month to apply them all.
So they moved SOME of the GUI out, supposedly.
Huge portions are definitely still there.
You trust that? Your confidence amuses me.
NT has NEVER booted to a command line and required someone to type 'win' to boot the GUI. Just like a Mac has never booted to a command line. There is nothing under NT. Understand?
Dude - in NT 3.51, you could kill the windowing system.
Kinda like how you can kill "explorer.exe" in more recent versions of windows, and it sorta kills your "Active Desktop" before it [usually] reloads itself, only in NT 3.51, when you killed windows, you were left with a shell prompt, and you had to run "WIN.EXE" to restart windows.
It was just like loading or unloading X-Windows on a Unix system.
Like I say, NT 3.51 was just about the coolest product Microsoft every released.
Still, and I hope we can agree upon that simple thing, even to modify an existing exploit code requires more skill than pointing and clicking. Which takes a good deal of wannabes out of the loop.
The 'art' of squeezing your code into the package and pointing the instruction pointer into it is indeed the 'only' difficulty after the exploit has been published. This is indeed not hard when you know what you're doing, but then, what is?
If you REALLY know what you're doing, mentioning that there's a overflow flaw in a certain function is all you really need. The rest can be puzzled together, provided you know your assembler.
You won't stop a problem from happening by keeping it under the cover, though. The wannabes and freeloaders ain't a problem. The problem are well organized groups that have the logistics to actually cause great harm, and those groups usually have very good access to information like this.
Basically, the only people who benefit from exposing exploits are admins trying to keep their network secure. Because they are the only people (the only that count anyway) who don't have ready access to 0day boards and the infonet that surrounds them.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.