Windows Zero-day “Animated Cursor” Vulnerability

April 2, 2007 by Kiltak |

By Matt Pearson
Contributing Writer, [GAS] 

A lovely new zero-day vulnerability in Microsoft Windows has hit the public scene.

At the end of March, exploitation of a previously (publicly) unknown vulnerability in Windows’ animated cursor (ANI) processing was detected in the wild. This new vulnerability is now being widely exploited to install Trojan malware into unpatched Windows 2000, XP, Server 2003 and Vista systems.

The exploit involves the use of a maliciously-formed “.ANI” file. These files are used to create “animated cursors” that are often used to visually enhance web pages. Unfortunately, since the vehicle for this exploit is HTML, attack vectors can include web pages and email messages.

Apparently Microsoft has known about this vulnerability for awhile, and has only now been motivated to fix things with the public release of proof-of-concept exploit code. Thankfully, eEye Research has published an interim patch. This vulnerability is severe enough that Microsoft is pushing an out-of-cycle patch for this sucker.

A discussion with security guru Steve Gibson on this vulnerability, as well as some extra links, is online in the Security Now podcast.

You Might Also Like:
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • bodytext
  • StumbleUpon
  • Fark
  • Reddit
  • Technorati
  • Mixx
  • Pownce
  • Slashdot
  • TwitThis

Posted in Microsoft, Security, Uncategorized | | Random Post

Did you enjoy this post? If so, subscribe to the geeksaresexy RSS feed.

RSS feed | Trackback URI

6 Comments »

Comment by Mackenzie
2007-04-02 15:33:34
If this was announced by ZDNet last week, I’m pretty sure it’s disqualified from being called “zero-day.”
Reply to this comment
Comment by TheMatt
2007-04-02 17:35:38
Even if it was announced by ZDNet last week, that’s still significantly later than December 20th (which was when Microsoft was first made aware of this vulnerability by an independent researcher). This puts it solidly in the realm of the “zero-day” definition. Proof-of-concept code is out in the wild well before Microsoft’s patch is rolled out.
Reply to this comment
 
 
Comment by Mackenzie
2007-04-02 17:46:04
Doesn’t zero-day mean the exploit is made public with “zero days of warning” to the company in charge (in this case, Microsoft)? I’m pretty sure the day-count goes by when the company (or development team) is alerted to the issue, not when they get around to patching it. It wouldn’t exactly be a vulnerability if it’s announced after the patches are already out. Hey, Microsoft knew about the MS Word issues for months without patching them.
Reply to this comment
Comment by TheMatt
2007-04-06 18:00:14
As far as I know, the term “zero-day” applies the time between patch release and public knowledge. If exploit code is publicly released before a patch for it is released. This interpretation is backed up by an admittedly shaky Wikipedia article.

I guess the point I got from this news is that it doesn’t really matter when the vendor learns of a vulnerability…what’s more important is the proximity of public knowledge of the vulnerability, working exploit code, and the release of a patch to fix the vulnerability. In this case, the advanced notice that Microsoft received from a responsible researcher was squandered when they failed to proactively release a patch before proof-of-concept code showed up in the wild and the vulnerability became public…and now it can be actively exploited until everyone’s Windows Update will grab the patch. And even then, autonomous worms will continue to propagate by this exploit when they can.

Also, it’s important to note that “patch released” does not mean “vulnerability negated.” Any unpatched systems will still be vulnerable…and we all know that all manner of people don’t know or care to update their systems. That’s why a clean, unpatched Windows install stays uninfected for mere minutes when connected to the public Internet.

Reply to this comment
 
 
Pingback by links for 2007-04-04 at Baron VC
2007-04-04 12:22:59
[...] Windows Zero-day “Animated Cursor” Vulnerability Animated cursors? Hello? One of the reasons I love these guys (from afar). (tags: windows microsoft) [...]
Reply to this comment
 
Comment by Ursula
2007-04-06 15:27:13
my laptop hasn’t been the same since this FIX was forced on my system. What a joke. It moved system32 function of my AVG grisoft software so now my laptop is not protected with an antivirus. And the fix Microsoft suggests is another patch that has to do with some audio crap that has nothing to do with my machine. I am so mad I could scream.
Reply to this comment
 
Name (required)
E-mail (required - never shown publicly)
URI
Subscribe to comments via email
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

| [GAS] Privacy Policy |