Windows .ANI Problem Surfaced Two Years Ago

← Back to Stories (view on slashdot.org)

Windows .ANI Problem Surfaced Two Years Ago

Posted by Zonk on Friday April 6, 2007 @09:22AM from the about-twenty-times-longer-than-firefly's-run dept.

An anonymous reader writes "There's a new twist to the tale of Windows .ANI exploit, that's been in the news all week (including when a spam campaign used the teaser of nude Britney Spears pictures to lure people to malicious sites). InformationWeek reports the Windows .ANI bug at issue first surfaced — and was patched — two years ago, in early 2005. 'If they had simply looked for other references for the same piece of code when they originally dealt with it a few years ago, they would have found this and patched it in 2005,' says Craig Schmugar of McAfee. 'It would have saved a whole lot of people a lot of time, money and effort.' Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking."

25 of 110 comments (clear)

How is that a lure? by kypper · 2007-04-06 09:26 · Score: 4, Funny

when a spam campaign used the teaser of nude Britney Spears pictures to lure people to malicious sites

Talk about an anti-virus.
If all attempts to hijack my machine involved using her as a lure, I'd uninstall AVP in a heartbeat; you couldn't pay me to see her nude.
1. Re:How is that a lure? by Lehk228 · 2007-04-06 12:10 · Score: 5, Funny
  
  no she's not a mermaiden, if anything she is closer to being a submarine, huge and full of sea men
  
  --
  Snowden and Manning are heroes.
Strange... by __aaclcg7560 · 2007-04-06 09:31 · Score: 4, Funny

The last time I saw an ANSI bug was during my days as a BBS Sysop years ago!
1. Re:Strange... by morgan_greywolf · 2007-04-06 09:39 · Score: 3, Informative
  
  The last time I saw an ANSI bug was during my days as a BBS Sysop years ago!
  
  Actually, the ANSI sequence 'viruses' (which were done by remapping keyboard keys to macro sequences which then executed commands) are just another form of terminal sequence attack that was quite popular a few years back when many people were still using terminal-oriented mail readers like pine, elm and mutt. These were the good ol' days when ISPs passed out shell accounts for reading mail and such. It forced Linux distros to shore up their termcap files and such.
  
  --
  My blog
Wouldn't that be by eviloverlordx · 2007-04-06 09:35 · Score: 4, Funny

an .ANL exploit?

--
'Loose' is when your pants are three sizes too big. 'Lose' is when you misuse 'loose'.
1. Re:Wouldn't that be by EmbeddedJanitor · 2007-04-06 09:42 · Score: 5, Funny
  
  No, it's a back door.
  
  --
  Engineering is the art of compromise.
This ANI exploit is different! by andrewd18 · 2007-04-06 09:41 · Score: 5, Funny

Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking.

Of course this .ANI exploit is different... the one that came out in 2005 didn't affect Vista!
Cut it out by symbolset · 2007-04-06 09:47 · Score: 4, Funny

Steve, leave the slashdot editors alone. If you need to blow off steam, go throw a chair or something.

--
Help stamp out iliturcy.
Incompetent Liars by Jeremy_Bee · 2007-04-06 09:54 · Score: 5, Insightful

The thing that bugs me the most about these kinds of issues is the reporting of them in the media.

If you read the slashdot summary (or even the whole first page of the article), you get the impression that some people think the bug is pretty much the same thing as the 2005 one and that Microsoft disagrees. The story is structured like a "He said, she said," kind of thing and no one is painted as right or wrong. If you *do* manage to make it to the second page of the article however, you find out that several very respected security professionals and security companies present detailed compelling evidence to the effect that Microsoft is both incompetent and disingenuous in their opinion on this bug.

It is the same bug (essentially) reported in 2005, and it should have been caught in a matter of hours or even minutes after the 2005 bug was initially reported to them. This by reason of Microsoft's own self-stated bug hunting and code modification procedures.

The conclusion is absolutely inescapable that Microsoft completely failed to follow their own basic rules of coding and security auditing here. They also are lying or at the very least splitting hairs about it being a "separate issue," and they seem to be deliberately trying to pull the wool over peoples eyes about it. Yet this story has been reported around the web as a kind of "maybe McAfee is right, or maybe Microsoft is right," thing for the most part??? Why?

On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is. It seems like this bug occurred because the same old *.ani code from the previous versions of MS Windows was included in Vista with literally no oversight and no checking.

Why do people buy products from these people again?
And why do they always seem get the benefit of the doubt in the media?
1. Re:Incompetent Liars by Watson+Ladd · 2007-04-06 10:23 · Score: 2, Insightful
  
  To answer the first question: API lock-in. A lot of strange hardware is windows-only, and the same with a lot of software. Microsoft might have horrible API's, but people use them to appeal to the Windows market, and so increase its size. Look at COM vs. Objective-C. The answer to the second question is because of the fear of a libel suit. You said the bug occurred because Microsoft didn't check it. Far more likely is they checked it incompetently. The difference is the difference between libel and truth. Actually, I might still be vulnerable to a lawsuit.
  
  --
  Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
2. Re:Incompetent Liars by garobat · 2007-04-06 11:04 · Score: 3, Interesting
  
  On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is. It seems like this bug occurred because the same old *.ani code from the previous versions of MS Windows was included in Vista with literally no oversight and no checking.
  
  Well, considering the mount of dialog boxes kept unchanged from XP and all, it seems pretty obvious that Vista is not "all new code". And what would be the point, as long as core component are rewritten, why would they redo the whole gui code?
3. Re:Incompetent Liars by bendodge · 2007-04-06 11:19 · Score: 2, Insightful
  
  Why do people buy products from these people again? Because (overall) it just works, and has incredibly good hardware support.
  
  It also is aesthetically pleasing. While there has been lots of effort put into making things like KDE look good, the individual shiny buttons and bars don't agree with a universal theme. Windows development is centralized, so the everything fits together visually.
  
  I personally prefer the look of Windows XP to any OS (note I haven't used Vista), just because the gradients, buttons, and esp the fonts all fit together smoothly.
  
  --
  The government can't save you.
4. Re:Incompetent Liars by ceroklis · 2007-04-06 11:53 · Score: 2, Insightful
  
  Microsoft has access to the source code, the "experts" don't. They have simply no basis for these claims. Their conclusions are based on their ideas on how code is supposed to be written, not on knowledge of the actual structure of the code in question. Ever tried to debug old spaghetti code that was written ten years ago, never properly documented and that nobody in the organization understand anymore? Maybe it is more complicated than they think. That's why I wouldn't trust them more than Microsoft on these matter. Not that I would trust Microsoft in the first place, since they have to interest in being open and honest on these matters, but that's ok.
  
  As an aside, I am tired of these endless criticisms of windows. It was never marketed as an über-secure or über-robust system. So stop complaining and understand that it is a relatively inexpensive and user-friendly OS, with a good feature set, an enormous library of software, good backward compatibility and only limited work being done on its security or robustness. If the good points matter more to you than the bad ones, use it and learn to live with the occasional exploit. If you want robustness and security, put your money where you mouth is and use Trusted Solaris. But don't complain if it is expensive and has no games.
5. Re:Incompetent Liars by UnknowingFool · 2007-04-06 12:21 · Score: 2, Interesting
  
  This sounds familiar. One of my friends who once worked for MS showed me a bug in the screen saver. It was first identified in NT4. It was fixed in Win2K. But when XP came out, the bug was back. It wasn't one that would allow for attack; it was just one of those annoying ones, but it was astonishing that it still existed.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
6. Re:Incompetent Liars by Tanuki64 · 2007-04-06 12:23 · Score: 2, Insightful
  
  Do you write code? It sounds like some copy-and-paste code had a bug in it, and they didn't catch both places.
  I do write code. And copy-and-paste code is always a sure sign of an incompetent coder.
7. Re:Incompetent Liars by Foolhardy · 2007-04-06 12:45 · Score: 2, Interesting
  
  There is a certain class of security vulnerability where malformed data passed to a library in the same process can cause code execution. From the library's point of view, since the library is in the same process as the caller, they're both at the same trust level, so calling a function does not cross a security boundary and no secure validity checking need be performed. The worst that could happen is that an app causes a library to execute code in its own process, a non-issue. The only parties involved are the application and the user library. This was the picture in 1993 when the first version of Windows NT (3.1) was released. It was largely still the case in 1995 with the release of Windows 95. This is the era where this and other vulns (like the GDI metafile escape one) are from.
  
  Problems start when the app passes along data from some outside untrusted source without understanding its content or validating it, like when a web browser passes an .ANI to user32.dll. Back when user32.dll was written for NT 3.1, the devs never conceived of an app implicitly loading a malicious .ANI (without validating it) from a third party. At the same time, the app would much rather treat those things as opaque blobs to pass on to libraries, implicitly expecting them to do the validation too. The libraries see the security boundary as being on the other side of the application, expecting the application to validate any data before processing. Both expect the other to validate data, but in some cases (like this one), neither do.
  
  Right now, the trust assumption of many user libraries hasn't been fixed because there is a lot of code in that position and it would be a lot of work to go through it all. Managers hate fixing code issues like that because it takes a lot of time and money but doesn't result in anything tangible like pretty features. Applications already suffer enough code bloat without having to implement validation for all the data they come in contact with that gets passed right to support libraries-- managers don't want to spend time and money on validating things that should be someone else's responsibility. Microsoft has had this class of vulnerability on low priority for a long time, and it's been the source of A LOT of issues.
  
  I'm not excusing Microsoft's behavior, just trying to explain it somewhat. Someone sure dropped the ball in not finding finding problems similar to the 2005 issue though.
  This by reason of Microsoft's own self-stated bug hunting and code modification procedures.
  Microsoft is a big company. Not every department is following the Security Development Lifecycle, as much as marketing may like to imply it. The main two examples that do are SQL Server 2005 and IIS6, both of which are doing very well. I haven't heard Microsoft say that all of Windows or the Win32-GUI core team were using SDL.
  On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is.
  Vista contains copious amounts of new code, but very little of it replaced old code. The sound system (the mixer mainly) was largely rewritten, the backup program got replaced with a POS from scratch, the logon GUI arch (i.e. msgina.dll replacements) got replaced... and I can't think of anything else that is new code to replace old code. I'd say that at least 75% of the Windows NT3.1 code base is still present in Vista.
8. Re:Incompetent Liars by Bodrius · 2007-04-06 14:37 · Score: 4, Insightful
  
  Really? I write code for a living too, and a categorical statement of the form "doing X is ALWAYS a sign of an incompetent coder"... always seems to me, at best, a sign of an unexperienced coder. Either that, or an extremely lucky one.
  
  I'll just assume your case is the latter :-)
  
  Sure, copy-and-paste duplication should be avoided where possible, along with gotos, reinventing the wheel, long complicated functions, lack of type safety, etc.
  Also, all code should really be a perfect and pristine example of elegance and modularity. Bug-free is even better!
  
  Reality bites, though.
  
  Unless we're talking of brand-new projects of a small size, I find it really hard to believe that comminiting to 0% copy-and-paste-code is a practical proposition.
  
  For a non-trivial product with some legacy, copy-and-paste is often the best among various non-optimal choices.
  
  - Do you really want to tightly couple these two unrelated components because you want to use those 5 lines of code?
  - Can you afford to carry over all of the dependencies on that library or class?
  - Or can you afford the refactoring to avoid those dependencies? How many new components (which were not changing before) do you need to retest now that you pulled the code out?
  - Can you afford to lose that development and testing time on other features that you need for RTM?
  
  That's not to mention the almost-guaranteed design time discussing where that re-usable code should move to in the first place... and do we need to change it to make it more generic? Do we need to ship all the refactored components with no functionality change? etc. etc.
  
  I agree with the sentiment: Copy-and-paste duplication sucks, and should be avoided wherever possible.
  
  But honestly, if you can ALWAYS say that avoiding copy-and-paste at all costs is the right decision for your product, for your team, and for yourself... I don't know whether to envy you, or to fear you.
  
  --
  Freedom is the freedom to say 2+2=4, everything else follows...
Out of interest.... by Anonymous Coward · 2007-04-06 10:16 · Score: 5, Funny

How many other people clicked on the "teaser of nude Britney Spears pictures" link in the Slashdot story and were bitterly disappointed?
1. Re:Out of interest.... by mattpointblank · 2007-04-06 10:38 · Score: 5, Funny
  
  You mean the link does go to nude pictures?
2. Re:Out of interest.... by Rakshasa+Taisab · 2007-04-06 10:56 · Score: 4, Funny
  
  Do you mean; disappointed because they saw the pictures, or because they didn't?
  
  --
  - These characters were randomly selected.
useless by digital+bath · 2007-04-06 12:16 · Score: 2, Insightful

this is useless without pictures

--
find / -name "*.sig" | xargs rm
Re:It would be nice to have real information on th by jwgoerlich · 2007-04-06 12:57 · Score: 2, Informative

Does anyone have a link to any information that actually explains how thi exploit works?

Here you go: Analysis of ANI "anih" Header Stack Overflow Vulnerability

Basically, an animated cursor is just one way to exploit a problem with Windows' GDI (graphical device interface) implementation. Windows runs this as part of the user's session and it is, in part, in kernel mode. Just like Jon Ellch and David Maynor showed with the Apple wireless driver exploit, if you can get access to the kernel, you can do pretty much anything you want. Any code you run will no longer be limited to the permissions of your user account.

J Wolfgang Goerlich
Here's a plausible version of what happened by Beryllium+Sphere(tm) · 2007-04-06 13:23 · Score: 2, Informative

http://www.securiteam.com/windowsntfocus/5XP0515L5 W.html
Re:It would be nice to have real information on th by mgiuca · 2007-04-06 21:49 · Score: 2, Interesting

Basically, an animated cursor is just one way to exploit a problem with Windows' GDI (graphical device interface) implementation. Windows runs this as part of the user's session and it is, in part, in kernel mode.
This is why I've been saying this problem has NOT been caused by a mere "bug in the code". Bugs happen to everyone, and it's not about blaming people. It's an accident.

But this issue has not been caused by a mere bug. It's been caused by a catastrophic design flaw in Windows itself (which I personally believe is a side-effect of Microsoft's marketing strategy) - and that is that EVERYTHING is in the kernel. In UNIXes, the GUI is nowhere near the kernel. There is no hope in hell in a UNIX environment of a mouse cursor taking control of your computer. This is caused by the fact that the GUI in windows runs partly in kernel mode. It's the architecture's fault.

If you ask me, this goes right down to the name of the OS - "Windows". It says it all. "This operating system is based on the GUI". And it literally is. The side-effect is that the GUI itself (the windows) can attack your computer.
Re:It would be nice to have real information on th by cnettel · 2007-04-06 23:18 · Score: 2, Informative

The analysis you link to does not mention the kernel. It's true that some GDI is in kernel land, but a surprising amount of resource access, like this, is not. The exploit, in its current form, is firmly in the userland part, and constrained by the security tokens of the thread and process. That's often bad enough, though.