Vulnerability in Windows Animated Cursor Handling

Can this vunerability also use Firefox or Opera as a vector?

 

Flash about crashing loop of explorer.exe: http://www.avertlabs.com/research/blog/?p=233

Anyone knows, if this HTML vulnerability does need/use WSH (Windows Script Host) to work?

 

According to Determina, this is a Windows problem and all applications that use certain Windows API calls are affected. This includes Explorer, IE, Firefox, Outlook and Outlook Express, etc.

Reading mail in Outlook Express in Plain Text is NOT protective. Determina recommends reading all mail using Telnet until there are patches. (That will be lots of fun).

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-03/msg00536.html

Vista, according to McAfee, enters an endless loop of crashing and restarting if a malicious ani file is put on the desktop. There's a video of this:
http://www.avertlabs.com/research/blog/?p=233

 

eeye security has a temporary patch which I am about to install.

http://research.eeye.com/html/alerts/zeroday/20070328.html

 

Microsoft: Attacks on Windows flaw rise

article

 

Microsoft Knew About the Critical .ANI Vista Vulnerability Since December 2006.

I wonder, could they postpone the update to keep Vista's name clean as long as possible?

 

I don't care what vulnerability it is, what's affected by it should be repaired and patched.
As quickly as possible.

 

Most AV's detecting it now.

Gerard

 

I wonder how long this has already been actively exploited, so far no problems over her, but I have installed the patch from eEye. I guess it must be real hard for MS to come up with a good and stable patch.

 

The Internet Storm Center (SANS Institute) has just raised the Internet threat level to YELLOW because of this exploit:

"*ANI exploit code drives INFOCon to Yellow
Published: 2007-03-31,
Last Updated: 2007-03-31 14:31:15 UTC
by Kevin Liston (Version: 1)
The ANI vulnerability has been been of recent concern. I've been waiting for a few key events to be confirmed before adjusting the INFOCon. We don't take these decisions lightly.

Rating systems such as Symantec's ThreatCon (currently at 2 of 4,) FS/ISAC's Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) all have their particular niche. Symantec focuses on their AV and managed-security-service customers. FS/ISAC focuses on financial institutions. The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity."

In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level. Now, we have a different landscape.

* Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
* The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting.
* The number of compromised sites pointing to malicious sites is also on the rise.

Recommendations:

* Keep anti-virus up-to-date. So far this is the most effective layer, particularly generic signatures that detect non-compliant ANI files. Also, the secondary payloads downloaded by these exploits are often detectable (not always though.)
* Content-filtering. If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed. This will impact your myspace.com browsing experience though.

We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 UTC)"

»isc.sans.org/diary.html?storyid=2542

My AV, AVIRA, does NOT protect. I have inquired at the Avira forums but first my inquiry was moved to the most obscure forum there and then when I asked if Avira was ashamed of not detecting this and was that why my inquiry was hidden, it was moved again to a forum where more may see it. I will be watching to see if Avira updates today or tomorrow for this. If not, then I may look elsewhere for an AV. Plus, free Avira will not help the Outlook Express situation as it has no email scanner. I have avoided using an email scanner on OE because of Microsoft's admonitions to not do so due to the fragility of the OE database store. But in instances such as this, I certainly would turn on an AV scanner for OE if I had one.

 

after today's update(vdf 6.38.00.155 and engine 7.03.1.47), antivir has detected it as EXP/MS05-002.Ani.A, confirmed by visiting an infected webpage. However, this definition doesn't show up on the vdf update list. So i think it's been integrated into the latest engine(7.03.1.47)

If I read/write emails as plain text, will my machine get infected?


Jotti table removed - If\when vendors receive samples they will act on this item according to the priority they deem necessary.

 

Mele.,

When I mentioned the above to a friend she went to the site but somehow ended up downloading a free version of something which was 38 MB's - can you please advise if she has missed the patch and what this 38 MB's might be ?

When I go there I don't want to install something if it's not necessary, apparently she had to register before downloading whatever it is.

TIA.

 

Scroll down almost to the bottom, it should be 961 kB.

Gerard

 

Hi Mele, it,s OT but I saw u still using Antivir, what about floppy drive issue?

 

OT:
The floppy drive sent by Dell was DOA. Dell has sent another but the tech and I couldn't get together when it arrived Friday so I probably cannot test Avira with the new floppy drive until next Wed or Thurs whichever day it gets installed.

 

Yes, I have the update and Avira has several pages about it but mostly in German and Google translation leaves much to be desired. Plus, Avira has some misleading information up indicating that the MS patch from 2005 will patch this also. I think they were so busy getting the definition out and engine updated that they haven't had time to fix the info pages very well. I mentioned this at the Avira forum a few minutes ago.

Why is Avira using the name of the older, similar exploit? Kinda of confusing.

Avira got this out just in time. Have you guys seen this https://www.wilderssecurity.com/showthread.php?t=170459

The OP went to a normal site "Gamespot" and got infected with ANI.

 

Microsoft has just announced that a patch for ANI will be issued on April 3!

http://blogs.technet.com/msrc/archi...e-for-microsoft-security-advisory-935423.aspx

 

Anyone has link to some proof-of-concept or at least a real one? I would like to try it.

 

You can go to http://zert.isotf.org/tests/testani.htm to test. Fx will pass. IE should crash. If your AV is protecting you will get an alert from it about detecting a trojan in some jpeg files in your temp folder.

 

Thanks. Well, my IE crashed after all.

 

That is interesting. I see you have IE 7 and Vista. I have IE 6 and XP Pro SP2 and IE did not crash and the test page said I was invulnerable but Avira popped up and said it found a trojan in the TIF. So, I am not invulnerable. I don't know why the test page says that and I am surprised IE didn't crash. I do use the Proxomitron and that might have provided partial protection...enough to keep IE from crashing but not from downloading the nasty. Actually, crashing as yours did is probably better because there was no nasty file download like with IE6.

 

LinkScanner Pro stopped it for me.

Microsoft planned a patch for tomorrow april 3.

Gerard

 

For those of you who installed the Eeye Patch:

Gerard