Windows Zero-day “Animated Cursor” Vulnerability

By Matt Pearson
Contributing Writer, [GAS] 

A lovely new zero-day vulnerability in Microsoft Windows has hit the public scene.

At the end of March, exploitation of a previously (publicly) unknown vulnerability in Windows’ animated cursor (ANI) processing was detected in the wild. This new vulnerability is now being widely exploited to install Trojan malware into unpatched Windows 2000, XP, Server 2003 and Vista systems.

The exploit involves the use of a maliciously-formed “.ANI” file. These files are used to create “animated cursors” that are often used to visually enhance web pages. Unfortunately, since the vehicle for this exploit is HTML, attack vectors can include web pages and email messages.

Apparently Microsoft has known about this vulnerability for awhile, and has only now been motivated to fix things with the public release of proof-of-concept exploit code. Thankfully, eEye Research has published an interim patch. This vulnerability is severe enough that Microsoft is pushing an out-of-cycle patch for this sucker.

A discussion with security guru Steve Gibson on this vulnerability, as well as some extra links, is online in the Security Now podcast.