Skip to main content

It was discovered last week that the way that ALL VERSIONS of Windows process the code for animated cursors is open to attack by malicious code.  This vulnerability is now being exploited widely.  There is no method, currently, for separately disabling the Windows subsystem that processes cursor animations.

This is a particularly dangerous vulnerability in that it allows malicious code to effectively execute at will and also be injected into every process running on the system, even in Safe Mode.

Be sure to download/install the latest updates to your antivirus software and Windows this week, if these updates are not configured to occur automatically.

Symptoms
There may be no overt symptoms of infection apparent to ordinary users, such as their regular cursor suddenly becoming animated or their existing animated cursor (if they’re using one) suddenly behaving strangely.  Although this is a vulnerability associated with animated cursors, it is simply a vector for infection – ANY infection – to compromise a Windows system.

Infection can be accomplished through
· encounters with compromised websites (even legitimate websites)
· opening or previewing HTML emails or attachments containing malicious .ANI files (or almost any other image type)

Current (pre-patch) protections
· Using Internet Explorer v7.0 running in fully-protected mode on Windows VISTA
· U
· Using OUTLOOK 2007 (renders HTML with MS Word instead of Internet Explorer)

NOTE:  All other versions of Internet Explorer and all other Microsoft email clients, including Windows Mail on VISTA, are vulnerable – EVEN IF THE EMAIL IS READ IN TEXT-ONLY MODE!!

A temporary patch is currently available through a third party.

Microsoft has announced that they will be releasing an official patch this week through Windows Update/Microsoft Update.

Most major antivirus vendors have already released updated protection to heuristically detect "unauthorized" behavior by .ANI files.

References:
Microsoft TechNet

Programmers analysis (PDF WARNING - also, deeply geeky)

SANS Institute, Internet Storm Center collected reports (and links)

/_____________________

UPDATE:

Apparently, NO BROWSERS ARE "SAFE" (Firefox, Opera, whatever), except for the specific configurations of IE above, will prevent this exploit from executing.  This is NOT a vulnerability/"rendering issue" in browsers, it is an issue with the WINDOWS OS itself.  Browsers merely pass the code through to the Windows animated cursor processing system that is flawed.

Originally posted to sxwarren on Mon Apr 02, 2007 at 09:29 AM PDT.

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site