MS Plans Emergency Update to Fix .ANI Bug

A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."

I'd comment if...

[foxpaws]

I'd comment if I could hit the "submit" button with this darned cursor....

Re:I'd comment if...

Sorry, my bad. Here, let me hit that button for you...

Get rid of patch Tuesday

[Frogmanalien]

Doesn't this just make Patch Tuesday more and more irrelevant- that's at least twice (in my memory) that they have had to release a patch "out-of-cycle". I don't give a monkey about cycles, I just want security patches deployed when they have been tested and are available! Big corporates should be using WSUS to manage patching so there's really no excuse for it catch people off guard in the business world, and I'm sure that most consumers think the same as me- fix my computer, and fix it now!

Re:Get rid of patch Tuesday

They usually have firewalls, anti-virus and anti-malware technologies in place so that updating quarterly isn't a big deal for the most part.

Wrong. They think it's not a big deal. But it is. It has been shown, without any surprise to security-conscious people, that there were bots and spamming-bots at several Fortune 500 companies. No matter how many anti-virus and firewall you've got, you're not detecting root-exploit hiding in Windows' kernel and communicating by hiding into seemingly regular http/https trafic.

Then of course for some people the very simple need for "anti-virus and anti-malware" [sic] to be installed on every single machine is a big deal... But go explain that to armies of click-monkeys-admin who know nothing but MS's crap...

And that is the real big deal: monkeys who don't know any better thinking "there are anti-viruses and firewalls on my network, so it's not a big deal".

--
Microsoft is not the answer. Microsoft is the question. And the answer is "no".

Re:Get rid of patch Tuesday

[rbanffy]

As a friend of mine once said, "you pay peanuts, you buy monkeys".

There is little question a Windows administrator costs less than an experienced unix'er (a monkey can push a couple buttons and create a new user, but using adduser takes at least two working neurons), but the real question is if you want to trust your company's information to somewhat trained monkeys.

Re:I'm glad ...

[morgan_greywolf]

that ANI will be ok.

Not to worry. He later hooks up with a certain senator, becomes a dark sith lord, and eventually becomes the right-hand man of the ruler of the known galaxy. It's only later when his son comes around to finding him that he gets killed.

Oh, wait...

Perhaps M$ should....

[8127972]

... Just release patches when they are ready as opposed to releasing them in groups on "patch Tuesday" as there seem to be an increasing number of zero-day exploits out in the wild. Consider that it took M$ forever to close the zero-day exploits in Office even though there were exploits in the wild and they even warned users about them which IIRC was a highly unusual step for them.

Re:Perhaps M$ should....

[ColdWetDog]

No No No No!

Patch Tuesday is wonderful. That means I can get up Wednesday morning, boot up my wife's PC and not have to deal with "Honey, what's the flashing little shield for again?". And before you ask, yep, it's going to Ubuntu pretty soon. Just got her on Firefox ("where is the blue E thingy now? How come it works different? Did you break the computer again?").

The good news? She now knows what a BSOD is - although I'm saddened to report that it is likely some annoying little hardware problem rather than being a Windows issue per se. Time for the screwdrivers...

Re:Perhaps M$ should....

[sunwukong]

"where is the blue E thingy now? How come it works different? Did you break the computer again?"
Time for the screwdrivers...

And by that you mean the alcoholic beverage, right?

Family tech support: proving S&M tendencies is genetic.

oh how cute!

[circletimessquare]

look at the cute little fat blue dinosaur wobble!

oh! what gorgeous red prancing pony!

oooh! a spinning coin, it's magic!

ha! i like how the fingers tap as they wait, it makes me smile

wait, what's this?

V1AGRATEENORGYLOANPREAPPROVEDC1A1SDEARSIRIHAVEALAR GESUMINLAGOSNIGERIA...

ANI Vuln Known Since December

[halfloaded]

I am sure that MS will play this off as them being friendly and proactive by releasing a patch out of cycle. However, they have known about this vuln since December 2006. From the MS Security Response Center Blog:

[...] this issue was first brought to [Microsoft] in late December 2006 and we've been working on our investigation and a security update since then.

Wow! Thanks Microsoft! It seems that if a small group like ZERT can release a patch in a couple days, a company with purse strings like MS should be able to release a supported patch in less than four months!

It's more serious than just "blinking".

[Opportunist]

It's a buffer overflow that allows you to execute arbitrary code. Much like the WMF exploit a year ago. But more serious. I have a sample here that opens a program just by browsing (with the explorer) into the directory that contains it.

Nasty sh.t. Even downloading and wanting to dissect it with some disassembler is already enough to set it off, the moment you use the open dialog of your dis.

Microsoft's security gnomes

[MillionthMonkey]

Microsoft's security gnomes have been working round the clock to produce and test a fix and explains the rationale for Redmond's unusual (but far from unprecedented) decision to publish an out-of-sequence fix.

Dear Microsoft,
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old.

Re:Microsoft's security gnomes

[MillionthMonkey]

Oh but Linux supports animated cursors, therefore they are the source of all goodness. But Linux doesn't have buffer overflows anywhere, so it's fine.

Merely being able to support a stupid feature on an OS platform, if someone chooses to install it, isn't quite the same as bundling the stupid feature into the operating system itself- i.e. into a browser that was forcefully (and without too much foresight) jammed up the OS hard to bamboozle a judge. All other operating systems allow you to uninstall a piece of software like that if it introduces security holes into the system. Try doing that with IE. A security flaw in IE is an issue for the entire OS. Windows pulls IE out of its ass to render stuff all the time. Not only can't you uninstall IE from Windows, you have to keep applying security patches to IE on a regular basis even if you would really like to uninstall it.

Now quit defending yourself on Slashdot, get back to your cubicle, and fix your browser slash operating system, security gnome.

Re:possible workaround

[_xeno_]

Yes, but not quite the way you say - you'd want to override the cursor on all elements.

The CSS override would be fairly simple:

* { cursor: text !important; }
/* The next rule returns links to being the little hand cursor: */
a { cursor: pointer !important; }

That overrides the cursor on all elements. The !important is important - the user-specified stylesheet is by default overridden by local pages. However, pages can't override !important rules in the user stylesheet.

However, I have not checked to make sure that using that stylesheet will actually prevent IE from downloading the cursor. For all I know it will still attempt to download the cursor anyway and still be vulnerable.

Where do you want to go today?

[192939495969798999]

To Windows Update, same as every day!

Impacted browsers

[eraser.cpp]

It should be noted that while both IE 6 and IE 7 are vulnerable in Windows XP, the damage in IE 7 in Vista is quite limited in its default "protected" mode.

Re:Impacted browsers

[Skiron]

"...the damage in IE 7 in Vista is quite limited in its default "protected" mode."

I think if you are running Vista, you are _damaged_ enough anyway.

Re:Impacted browsers

[TheNetAvenger]

Yes it is true that the vulnerbility is limited on Vista since IE runs with lower permissions than the user and cannot harm anything that IE cannot touch, and IE cannot touch hardly anything in Vista.

Also where in the heck do you get that GUI runs in kernel space? You seriously need to read up a bit on NT, as the Win32 subsystem itself doesn't even get to run in the kernel, let alone the GUI attached to it.

You are probably confusing video drivers that were moved to the kernel level for game performance in NT4, Win2k and WinXP, but have been moved back to User space in Vista due to a new way to harness the same level of kernel level driver performance without pushing the drivers into the kernel. (Which is actually quite clever technology if anyone is a OS Kernel nerd.)

It *DOES* download it anyway

[_xeno_]

Well, I've had the chance to test it now. Internet Explorer (well, version 6, at least) in fact does download the ANI file anyway even when it's been overridden. I'm guessing it in fact downloads all related CSS resources even if they're never used.

Unfortunately I can't test if IE is actually vulnerable with the stylesheet in place because I'm behind a firewall that prevents me from getting any of the proof-of-concept files. So if someone else wants to test it, let me know.

Even more proof

[unborracho]

That publishing security vulnerabilities on the public internet will get the issue resolved faster than simply privately notifying the company responsible for making the fix.

Dear Customer..

[Savage-Rabbit]

Dear Microsoft,
Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old. Dear Customer,
Unfortunately a hoard of deranged Mac users has invaded the Microsoft Development Center. They seized the security gnome's cave and their slashdot troll is currently blocking the entrance. Unfortunately, at the time this happened, we had just successfully repelled a massive frontal assault on our development center by a hoard of torch and pitchfork wielding penguins and as a result we were to low on throwing chairs to repel the second assault. We are sorry if this causes you any inconvenience but until the next consignment of hand made throwing chairs arrives from Italy allowing Mr Ballmer to lead us in a fresh asssault to retake the security gnome's cave we will be unable to help you with your problem. Please accept this conciliatory bucket of Microsoft® Fried Penguin drumsticks and a bottle of Microsoft Windows Vista® Kool-Aid free of charge as compensation for any inconvenience this may have caused you.

Regards

The Microsoft Support Team.

No

[Opportunist]

It's not just animated cursors, it's EVERYTHING that calls LoadAniIcon See here for details (don't worry, not enough details to reproduce it easily, just a pretty neat explanation what's cooking).

What sends shivers up my spine is that I have a jpeg here that seems to work the same way. Now, how likely is it that a jpeg gets loaded in IE? I have that gut feeling that the WMF trojan storm of last year was a gentle breeze compared to this.

I have a hunch that this could maybe be the reason why MS is in such a hurry to fix this. And, while I rarely agree with them, I consider this extremely urgent as well. But only because I know now stronger word than urgent.

At last!

[Farmer+Tim]

MS plans emergency update to fix blinking cursor bug.

Now all they need to do is fix the blinking Active X bugs, the blinking default open ports, the blinking UAC, and all the other blinking problems.

Pardon my language...

WTF?! Can't be...

[__aaclcg7560]

I haven't seen an ANSI bug since my days as a BBS sysop years ago.

WOW

[blankaBrew]

Is this the WOW that M$ is peddling?

I'm still worried...

[BalorTFL]

Rumor has it ANI was struck by some smooth criminals, who came in through Windows... or something like that.

Detected on Linux SMB Server...

[Temujin_12]

Interestingly, clamav's weekly scan of my home Linux server caught Exploit.Win32.MS05-002.Gen in a few mp3 files and a tar.gz file. They weren't important files so I just deleted them. I have several Windows XP Professional machines that access it (the mp3s dir is used as the library root for windows media players).

BitDefender's description of their detection of this virus:

This generic detection targets .ANI files that contain malicious code addressing Integer overflow in the LoadImage API Vulnerability

Oh great!

[risk+one]

Thanks for the spoiler!

Re:Could you elaborate?

[TheNetAvenger]

actually thought NT 3.51 was an exceedingly elegant system - it booted to a DOS-ish shell, you had to type "WIN" [for win.exe] if you wanted to load the windows graphics subsystem, and the entire "environment" was pure client[user space]/server[kernel space], with the graphics "client" living entirely in user space.

Um... NT 3.1, 3.5, and 3.51 all booted to the Win32 subsystem GUI. You are somehow confusing Win 3.1 or something here. NT has always used Win32 as its primary subsystem, and been graphical.

So what is this "quite clever technology" that allows Vista to return to the older model?

In lay terms, MS breaks the driver into two parts. The MS side is a kernel level interface that translates up to user mode for the MFR driver.

This is really smart for a couple of reasons.

1) It gives the performance of a kernel level driver without explosing the system to a 3rd party driver in kernel space.

2) It also allows Vista to do things even NT pre 4.0 couldn't do, like live swap video (i.e. you can remove the video card and it doesn't crash the OS.) Not only can portable and external display devices connect and disconnect effortlessly, but no matter how bad a video driver is, once Vista is running it takes an act of God for the video driver to crash the OS or leave the OS without video.

As external PCI express devices become more popular, especially for laptops, you can effortlessly switch from the onboard video to the dock or external display device. I have done this while watching a movie in Media Center and the pause to flip was less than 1 sec and it didn't even lose a frame of video.

Basically Vista can restart the video driver by virtually unplugging the video card and turning it back on, and then if the driver continues to fail Vista will continue through several steps including turning off the video again and dropping to a generic VGA driver and restarting the video card. Eventually it will even try to activate a second video device if one is present in the system and the main video won't turn back on even with generic drivers if the card is damaged.

So not only is it better protected from a bad video driver, it has a rather intelligent recovery process so that the user isn't left with a blank screen.