Slashdot Mirror
MS Plans Emergency Update to Fix .ANI Bug
A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."
that ANI will be ok.
Wouldn't setting your own .css file in IE's accessibility options work for this. Just set the .ani to something safe and that should override any website's settings.
Pubcrawler.ca
.
I'd comment if I could hit the "submit" button with this darned cursor....
Well, my days of not taking you seriously are certainly coming to a middle. -Firefly
Doesn't this just make Patch Tuesday more and more irrelevant- that's at least twice (in my memory) that they have had to release a patch "out-of-cycle". I don't give a monkey about cycles, I just want security patches deployed when they have been tested and are available! Big corporates should be using WSUS to manage patching so there's really no excuse for it catch people off guard in the business world, and I'm sure that most consumers think the same as me- fix my computer, and fix it now!
The only thing that saves us from the bureaucracy is its inefficiency (Eugene McCarthy)
often this happens because some person released a working example
:-(
for windows XP or what not. then a loser or three use this code
to arm their worms. remember, the worm is written many times over,
they just wait for 0day. they do not code anything, but cut and
paste.
who and where is the code? lets thank them for their hard work
I seriously thought that this animated cursor vulnerability was an April 1st joke. Lesson learned: with m$, the most unreal jokes become reality...
... Just release patches when they are ready as opposed to releasing them in groups on "patch Tuesday" as there seem to be an increasing number of zero-day exploits out in the wild. Consider that it took M$ forever to close the zero-day exploits in Office even though there were exploits in the wild and they even warned users about them which IIRC was a highly unusual step for them.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
look at the cute little fat blue dinosaur wobble!
R GESUMINLAGOSNIGERIA...
oh! what gorgeous red prancing pony!
oooh! a spinning coin, it's magic!
ha! i like how the fingers tap as they wait, it makes me smile
wait, what's this?
V1AGRATEENORGYLOANPREAPPROVEDC1A1SDEARSIRIHAVEALA
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
the "most secure" OS more than once a month?
It's a buffer overflow that allows you to execute arbitrary code. Much like the WMF exploit a year ago. But more serious. I have a sample here that opens a program just by browsing (with the explorer) into the directory that contains it.
Nasty sh.t. Even downloading and wanting to dissect it with some disassembler is already enough to set it off, the moment you use the open dialog of your dis.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old.
I never did trust that animated peace sign.
Libertarian Leaning Political Discussion Forum.
To Windows Update, same as every day!
stuff |
...because they're not staring at the blinky cursors, but at the blinky lights on the switches.
Like, for instance that switch over th...Oooohhh, blinky lights. Pretty.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."
/.
The Reg clearly structured this sentence knowing it would make front page on
It should be noted that while both IE 6 and IE 7 are vulnerable in Windows XP, the damage in IE 7 in Vista is quite limited in its default "protected" mode.
Well, I've had the chance to test it now. Internet Explorer (well, version 6, at least) in fact does download the ANI file anyway even when it's been overridden. I'm guessing it in fact downloads all related CSS resources even if they're never used.
Unfortunately I can't test if IE is actually vulnerable with the stylesheet in place because I'm behind a firewall that prevents me from getting any of the proof-of-concept files. So if someone else wants to test it, let me know.
You are in a maze of twisty little relative jumps, all alike.
Give us the patch already... I mean hell... they are telling us when it will be released... which means they have written it an tested it to some degree already.
They are probably using this few days to figure out how they can spin the whole issue to make them look good!
I don't know why I even care... this bug doesn't effect me in the least.
Sometimes the best solution is to stop wasting time looking for an easy solution.
That publishing security vulnerabilities on the public internet will get the issue resolved faster than simply privately notifying the company responsible for making the fix.
"You had this look that of an angel, it was such a bad disguise" --Dishwalla
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old. Dear Customer,
Unfortunately a hoard of deranged Mac users has invaded the Microsoft Development Center. They seized the security gnome's cave and their slashdot troll is currently blocking the entrance. Unfortunately, at the time this happened, we had just successfully repelled a massive frontal assault on our development center by a hoard of torch and pitchfork wielding penguins and as a result we were to low on throwing chairs to repel the second assault. We are sorry if this causes you any inconvenience but until the next consignment of hand made throwing chairs arrives from Italy allowing Mr Ballmer to lead us in a fresh asssault to retake the security gnome's cave we will be unable to help you with your problem. Please accept this conciliatory bucket of Microsoft® Fried Penguin drumsticks and a bottle of Microsoft Windows Vista® Kool-Aid free of charge as compensation for any inconvenience this may have caused you.
Regards
The Microsoft Support Team.
Only to idiots, are orders laws.
-- Henning von Tresckow
So I wonder if this[0] was just a run-of-the-mill dare where nobody really cares if you do it or not, or a double-dog dare, or the greatly feared TRIPLE-dog dare? Especially since "We made it way harder for guys to do exploits" [1]
9 854
[0] - http://blogs.zdnet.com/Apple/?p=422
[1] - http://www.toptechnews.com/story.xhtml?story_id=4
boycott slashdot February 10th - 17th check out: altSlashdot.org
It's not just animated cursors, it's EVERYTHING that calls LoadAniIcon See here for details (don't worry, not enough details to reproduce it easily, just a pretty neat explanation what's cooking).
What sends shivers up my spine is that I have a jpeg here that seems to work the same way. Now, how likely is it that a jpeg gets loaded in IE? I have that gut feeling that the WMF trojan storm of last year was a gentle breeze compared to this.
I have a hunch that this could maybe be the reason why MS is in such a hurry to fix this. And, while I rarely agree with them, I consider this extremely urgent as well. But only because I know now stronger word than urgent.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
MS plans emergency update to fix blinking cursor bug.
Now all they need to do is fix the blinking Active X bugs, the blinking default open ports, the blinking UAC, and all the other blinking problems.
Pardon my language...
Blank until
I have the source for it here in front of me. It's far from trivial (buffer overflows rarely are). A good working understanding of assembler is the bare basics to start understanding what's going on. At the very least you'll need someone who can stuff your worm code into it (even further away from trivial).
This ain't some VB code that you copy, paste and alter. We're talking hand crafted assembler injection code here which does differ a lot from application to application. Just because you have a sample that opens some harmless file like edit doesn't mean it's a trivial matter to reshape it into something that starts downloading a worm from the 'net.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Since you're not "downloading" the cursor and executing it, but the cursor itself is a malformed file that manipulates the executable that runs "around" it (i.e. the IE7), there is no sandbox around you. The IE7 gets attacked and its flow of operation redirected (well, not really, actually it's a function of a DLL the IE uses, but that's what basically happens).
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I wonder, would Bill Gates and Steve Ballmer taken together be two anii?
Beware: In C++, your friends can see your privates!
"The more you try to overtake the plumbing, the easier it is to clog up the drain."
Microsoft please take note.
Once I was a four stone apology. Now I am two separate gorillas.
I haven't seen an ANSI bug since my days as a BBS sysop years ago.
Is this the WOW that M$ is peddling?
Rumor has it ANI was struck by some smooth criminals, who came in through Windows... or something like that.
BitDefender's description of their detection of this virus:
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
You are probably confusing video drivers that were moved to the kernel level for game performance in NT4, Win2k and WinXP, but have been moved back to User space in Vista due to a new way to harness the same level of kernel level driver performance without pushing the drivers into the kernel. (Which is actually quite clever technology if anyone is a OS Kernel nerd.)
I actually thought NT 3.51 was an exceedingly elegant system - it booted to a DOS-ish shell, you had to type "WIN" [for win.exe] if you wanted to load the windows graphics subsystem, and the entire "environment" was pure client[user space]/server[kernel space], with the graphics "client" living entirely in user space.
Then, as you indicate, with NT 4.0, the video drivers were brought into the kernel space, and, la voila, we were introduced to the infamous Blue Screen of Death.
So what is this "quite clever technology" that allows Vista to return to the older model?
Thanks for the spoiler!
Ahh... an anti-Windows zealot shows his true colors... "She now knows what a BSOD is - although I'm saddened to report that it is likely some annoying little hardware problem rather than being a Windows issue per se.". So then, you'd be HAPPY if Windows BSOD'ed for no reason, just so you could jump up and down and point and scream, "SEE??!?!! WINDOWS IS EEEEVIL!!" C'mon. Grow up. If you're married, then you've gotta be at least 16-ish. Instead, you're acting like a 12 year old.
I don't respond to AC's.
Um... NT 3.1, 3.5, and 3.51 all booted to the Win32 subsystem GUI. You are somehow confusing Win 3.1 or something here. NT has always used Win32 as its primary subsystem, and been graphical.
No, dude, you could boot NT 3.51 without graphics.
Just like with Windows 3.11 running on top of DOS, with NT 3.51 you could type "WIN" at a shell prompt and start the windows system.
It was absolutely teh r0x0r - possibly the coolest product Microsoft ever released.
Want to patch one day per month? Fine. How about one day per year? It's your choice.
Some would rather not delay. They're not getting THEIR choice.
Remember, if Microsoft releases a patch every 30 minutes, you can still choose one day per month to apply them all.
So they moved SOME of the GUI out, supposedly.
Huge portions are definitely still there.
You trust that? Your confidence amuses me.
NT has NEVER booted to a command line and required someone to type 'win' to boot the GUI. Just like a Mac has never booted to a command line. There is nothing under NT. Understand?
Dude - in NT 3.51, you could kill the windowing system.
Kinda like how you can kill "explorer.exe" in more recent versions of windows, and it sorta kills your "Active Desktop" before it [usually] reloads itself, only in NT 3.51, when you killed windows, you were left with a shell prompt, and you had to run "WIN.EXE" to restart windows.
It was just like loading or unloading X-Windows on a Unix system.
Like I say, NT 3.51 was just about the coolest product Microsoft every released.
Still, and I hope we can agree upon that simple thing, even to modify an existing exploit code requires more skill than pointing and clicking. Which takes a good deal of wannabes out of the loop.
The 'art' of squeezing your code into the package and pointing the instruction pointer into it is indeed the 'only' difficulty after the exploit has been published. This is indeed not hard when you know what you're doing, but then, what is?
If you REALLY know what you're doing, mentioning that there's a overflow flaw in a certain function is all you really need. The rest can be puzzled together, provided you know your assembler.
You won't stop a problem from happening by keeping it under the cover, though. The wannabes and freeloaders ain't a problem. The problem are well organized groups that have the logistics to actually cause great harm, and those groups usually have very good access to information like this.
Basically, the only people who benefit from exposing exploits are admins trying to keep their network secure. Because they are the only people (the only that count anyway) who don't have ready access to 0day boards and the infonet that surrounds them.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.