It was discovered last week that the way that ALL VERSIONS of Windows process the code for animated cursors is open to attack by malicious code. This vulnerability is now being exploited widely. There is no method, currently, for separately disabling the Windows subsystem that processes cursor animations.
This is a particularly dangerous vulnerability in that it allows malicious code to effectively execute at will and also be injected into every process running on the system, even in Safe Mode.
Be sure to download/install the latest updates to your antivirus software and Windows this week, if these updates are not configured to occur automatically.
There may be no overt symptoms of infection apparent to ordinary users, such as their regular cursor suddenly becoming animated or their existing animated cursor (if they’re using one) suddenly behaving strangely. Although this is a vulnerability associated with animated cursors, it is simply a vector for infection – ANY infection – to compromise a Windows system.
Infection can be accomplished through
· encounters with compromised websites (even legitimate websites)
· opening or previewing HTML emails or attachments containing malicious .ANI files (or almost any other image type)
Current (pre-patch) protections
· Using Internet Explorer v7.0 running in fully-protected mode on Windows VISTA
· Using OUTLOOK 2007 (renders HTML with MS Word instead of Internet Explorer)
NOTE: All other versions of Internet Explorer and all other Microsoft email clients, including Windows Mail on VISTA, are vulnerable – EVEN IF THE EMAIL IS READ IN TEXT-ONLY MODE!!
A temporary patch is currently available through a third party.
Microsoft has announced that they will be releasing an official patch this week through Windows Update/Microsoft Update.
Most major antivirus vendors have already released updated protection to heuristically detect "unauthorized" behavior by .ANI files.
Programmers analysis (PDF WARNING - also, deeply geeky)
SANS Institute, Internet Storm Center collected reports (and links)
Apparently, NO BROWSERS ARE "SAFE" (Firefox, Opera, whatever), except for the specific configurations of IE above, will prevent this exploit from executing. This is NOT a vulnerability/"rendering issue" in browsers, it is an issue with the WINDOWS OS itself. Browsers merely pass the code through to the Windows animated cursor processing system that is flawed.