MS Plans Emergency Update to Fix .ANI Bug

A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."

Perhaps M$ should....

[8127972]

... Just release patches when they are ready as opposed to releasing them in groups on "patch Tuesday" as there seem to be an increasing number of zero-day exploits out in the wild. Consider that it took M$ forever to close the zero-day exploits in Office even though there were exploits in the wild and they even warned users about them which IIRC was a highly unusual step for them.

Impacted browsers

[eraser.cpp]

It should be noted that while both IE 6 and IE 7 are vulnerable in Windows XP, the damage in IE 7 in Vista is quite limited in its default "protected" mode.

Re:Impacted browsers

[TheNetAvenger]

Yes it is true that the vulnerbility is limited on Vista since IE runs with lower permissions than the user and cannot harm anything that IE cannot touch, and IE cannot touch hardly anything in Vista.

Also where in the heck do you get that GUI runs in kernel space? You seriously need to read up a bit on NT, as the Win32 subsystem itself doesn't even get to run in the kernel, let alone the GUI attached to it.

You are probably confusing video drivers that were moved to the kernel level for game performance in NT4, Win2k and WinXP, but have been moved back to User space in Vista due to a new way to harness the same level of kernel level driver performance without pushing the drivers into the kernel. (Which is actually quite clever technology if anyone is a OS Kernel nerd.)

It *DOES* download it anyway

[_xeno_]

Well, I've had the chance to test it now. Internet Explorer (well, version 6, at least) in fact does download the ANI file anyway even when it's been overridden. I'm guessing it in fact downloads all related CSS resources even if they're never used.

Unfortunately I can't test if IE is actually vulnerable with the stylesheet in place because I'm behind a firewall that prevents me from getting any of the proof-of-concept files. So if someone else wants to test it, let me know.

No

[Opportunist]

It's not just animated cursors, it's EVERYTHING that calls LoadAniIcon See here for details (don't worry, not enough details to reproduce it easily, just a pretty neat explanation what's cooking).

What sends shivers up my spine is that I have a jpeg here that seems to work the same way. Now, how likely is it that a jpeg gets loaded in IE? I have that gut feeling that the WMF trojan storm of last year was a gentle breeze compared to this.

I have a hunch that this could maybe be the reason why MS is in such a hurry to fix this. And, while I rarely agree with them, I consider this extremely urgent as well. But only because I know now stronger word than urgent.

Detected on Linux SMB Server...

[Temujin_12]

Interestingly, clamav's weekly scan of my home Linux server caught Exploit.Win32.MS05-002.Gen in a few mp3 files and a tar.gz file. They weren't important files so I just deleted them. I have several Windows XP Professional machines that access it (the mp3s dir is used as the library root for windows media players).

BitDefender's description of their detection of this virus:

This generic detection targets .ANI files that contain malicious code addressing Integer overflow in the LoadImage API Vulnerability

Re:Could you elaborate?

[TheNetAvenger]

actually thought NT 3.51 was an exceedingly elegant system - it booted to a DOS-ish shell, you had to type "WIN" [for win.exe] if you wanted to load the windows graphics subsystem, and the entire "environment" was pure client[user space]/server[kernel space], with the graphics "client" living entirely in user space.

Um... NT 3.1, 3.5, and 3.51 all booted to the Win32 subsystem GUI. You are somehow confusing Win 3.1 or something here. NT has always used Win32 as its primary subsystem, and been graphical.

So what is this "quite clever technology" that allows Vista to return to the older model?

In lay terms, MS breaks the driver into two parts. The MS side is a kernel level interface that translates up to user mode for the MFR driver.

This is really smart for a couple of reasons.

1) It gives the performance of a kernel level driver without explosing the system to a 3rd party driver in kernel space.

2) It also allows Vista to do things even NT pre 4.0 couldn't do, like live swap video (i.e. you can remove the video card and it doesn't crash the OS.) Not only can portable and external display devices connect and disconnect effortlessly, but no matter how bad a video driver is, once Vista is running it takes an act of God for the video driver to crash the OS or leave the OS without video.

As external PCI express devices become more popular, especially for laptops, you can effortlessly switch from the onboard video to the dock or external display device. I have done this while watching a movie in Media Center and the pause to flip was less than 1 sec and it didn't even lose a frame of video.

Basically Vista can restart the video driver by virtually unplugging the video card and turning it back on, and then if the driver continues to fail Vista will continue through several steps including turning off the video again and dropping to a generic VGA driver and restarting the video card. Eventually it will even try to activate a second video device if one is present in the system and the main video won't turn back on even with generic drivers if the card is damaged.

So not only is it better protected from a bad video driver, it has a rather intelligent recovery process so that the user isn't left with a blank screen.