Windows Zero-day “Animated Cursor” Vulnerability

By Matt Pearson
Contributing Writer, [GAS] 

A lovely new zero-day vulnerability in Microsoft Windows has hit the public scene.

At the end of March, exploitation of a previously (publicly) unknown vulnerability in Windows’ animated cursor (ANI) processing was detected in the wild. This new vulnerability is now being widely exploited to install Trojan malware into unpatched Windows 2000, XP, Server 2003 and Vista systems.

The exploit involves the use of a maliciously-formed “.ANI” file. These files are used to create “animated cursors” that are often used to visually enhance web pages. Unfortunately, since the vehicle for this exploit is HTML, attack vectors can include web pages and email messages.

Apparently Microsoft has known about this vulnerability for awhile, and has only now been motivated to fix things with the public release of proof-of-concept exploit code. Thankfully, eEye Research has published an interim patch. This vulnerability is severe enough that Microsoft is pushing an out-of-cycle patch for this sucker.

A discussion with security guru Steve Gibson on this vulnerability, as well as some extra links, is online in the Security Now podcast.

Advertisement





13 Responses to Windows Zero-day “Animated Cursor” Vulnerability

    • Even if it was announced by ZDNet last week, that's still significantly later than December 20th (which was when Microsoft was first made aware of this vulnerability by an independent researcher). This puts it solidly in the realm of the "zero-day" definition. Proof-of-concept code is out in the wild well before Microsoft's patch is rolled out.

    • Even if it was announced by ZDNet last week, that's still significantly later than December 20th (which was when Microsoft was first made aware of this vulnerability by an independent researcher). This puts it solidly in the realm of the "zero-day" definition. Proof-of-concept code is out in the wild well before Microsoft's patch is rolled out.

  1. Doesn't zero-day mean the exploit is made public with "zero days of warning" to the company in charge (in this case, Microsoft)? I'm pretty sure the day-count goes by when the company (or development team) is alerted to the issue, not when they get around to patching it. It wouldn't exactly be a vulnerability if it's announced after the patches are already out. Hey, Microsoft knew about the MS Word issues for months without patching them.

    • As far as I know, the term "zero-day" applies the time between patch release and public knowledge. If exploit code is publicly released before a patch for it is released. This interpretation is backed up by an admittedly shaky Wikipedia article.

      I guess the point I got from this news is that it doesn't really matter when the vendor learns of a vulnerability…what's more important is the proximity of public knowledge of the vulnerability, working exploit code, and the release of a patch to fix the vulnerability. In this case, the advanced notice that Microsoft received from a responsible researcher was squandered when they failed to proactively release a patch before proof-of-concept code showed up in the wild and the vulnerability became public…and now it can be actively exploited until everyone's Windows Update will grab the patch. And even then, autonomous worms will continue to propagate by this exploit when they can.

      Also, it's important to note that "patch released" does not mean "vulnerability negated." Any unpatched systems will still be vulnerable…and we all know that all manner of people don't know or care to update their systems. That's why a clean, unpatched Windows install stays uninfected for mere minutes when connected to the public Internet.

  2. Doesn’t zero-day mean the exploit is made public with “zero days of warning” to the company in charge (in this case, Microsoft)? I’m pretty sure the day-count goes by when the company (or development team) is alerted to the issue, not when they get around to patching it. It wouldn’t exactly be a vulnerability if it’s announced after the patches are already out. Hey, Microsoft knew about the MS Word issues for months without patching them.

    • As far as I know, the term "zero-day" applies the time between patch release and public knowledge. If exploit code is publicly released before a patch for it is released. This interpretation is backed up by an admittedly shaky Wikipedia article.

      I guess the point I got from this news is that it doesn't really matter when the vendor learns of a vulnerability…what's more important is the proximity of public knowledge of the vulnerability, working exploit code, and the release of a patch to fix the vulnerability. In this case, the advanced notice that Microsoft received from a responsible researcher was squandered when they failed to proactively release a patch before proof-of-concept code showed up in the wild and the vulnerability became public…and now it can be actively exploited until everyone's Windows Update will grab the patch. And even then, autonomous worms will continue to propagate by this exploit when they can.

      Also, it's important to note that "patch released" does not mean "vulnerability negated." Any unpatched systems will still be vulnerable…and we all know that all manner of people don't know or care to update their systems. That's why a clean, unpatched Windows install stays uninfected for mere minutes when connected to the public Internet.

  3. Pingback: links for 2007-04-04 at Baron VC

  4. my laptop hasn't been the same since this FIX was forced on my system. What a joke. It moved system32 function of my AVG grisoft software so now my laptop is not protected with an antivirus. And the fix Microsoft suggests is another patch that has to do with some audio crap that has nothing to do with my machine. I am so mad I could scream.

  5. my laptop hasn’t been the same since this FIX was forced on my system. What a joke. It moved system32 function of my AVG grisoft software so now my laptop is not protected with an antivirus. And the fix Microsoft suggests is another patch that has to do with some audio crap that has nothing to do with my machine. I am so mad I could scream.