Vulnerability in Windows Animated Cursor Handling

Discussion in 'other security issues & news' started by ronjor, Mar 29, 2007.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Microsoft Security Advisory (935423)
     
  2. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,073
    Can this vunerability also use Firefox or Opera as a vector?
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    This is all I know so far.

    Secunia
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
  5. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    According to Determina, this is a Windows problem and all applications that use certain Windows API calls are affected. This includes Explorer, IE, Firefox, Outlook and Outlook Express, etc.

    Reading mail in Outlook Express in Plain Text is NOT protective. Determina recommends reading all mail using Telnet until there are patches. (That will be lots of fun).

    http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-03/msg00536.html

    Vista, according to McAfee, enters an endless loop of crashing and restarting if a malicious ani file is put on the desktop. There's a video of this:
    http://www.avertlabs.com/research/blog/?p=233
     
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
  7. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,073
    Microsoft: Attacks on Windows flaw rise




    article
     
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
  9. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I don't care what vulnerability it is, what's affected by it should be repaired and patched.
    As quickly as possible.
    ;)
     
  10. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Most AV's detecting it now.

    Gerard
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I wonder how long this has already been actively exploited, so far no problems over her, but I have installed the patch from eEye. I guess it must be real hard for MS to come up with a good and stable patch. :blink:
     
  12. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    The Internet Storm Center (SANS Institute) has just raised the Internet threat level to YELLOW because of this exploit:

    "*ANI exploit code drives INFOCon to Yellow
    Published: 2007-03-31,
    Last Updated: 2007-03-31 14:31:15 UTC
    by Kevin Liston (Version: 1)
    The ANI vulnerability has been been of recent concern. I've been waiting for a few key events to be confirmed before adjusting the INFOCon. We don't take these decisions lightly.

    Rating systems such as Symantec's ThreatCon (currently at 2 of 4,) FS/ISAC's Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) all have their particular niche. Symantec focuses on their AV and managed-security-service customers. FS/ISAC focuses on financial institutions. The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity."

    In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level. Now, we have a different landscape.

    * Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
    * The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting.
    * The number of compromised sites pointing to malicious sites is also on the rise.

    Recommendations:

    * Keep anti-virus up-to-date. So far this is the most effective layer, particularly generic signatures that detect non-compliant ANI files. Also, the secondary payloads downloaded by these exploits are often detectable (not always though.)
    * Content-filtering. If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed. This will impact your myspace.com browsing experience though.

    We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 UTC)"

    »isc.sans.org/diary.html?storyid=2542

    My AV, AVIRA, does NOT protect. I have inquired at the Avira forums but first my inquiry was moved to the most obscure forum there and then when I asked if Avira was ashamed of not detecting this and was that why my inquiry was hidden, it was moved again to a forum where more may see it. I will be watching to see if Avira updates today or tomorrow for this. If not, then I may look elsewhere for an AV. Plus, free Avira will not help the Outlook Express situation as it has no email scanner. I have avoided using an email scanner on OE because of Microsoft's admonitions to not do so due to the fragility of the OE database store. But in instances such as this, I certainly would turn on an AV scanner for OE if I had one.
     
  13. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    after today's update(vdf 6.38.00.155 and engine 7.03.1.47), antivir has detected it as EXP/MS05-002.Ani.A, confirmed by visiting an infected webpage. However, this definition doesn't show up on the vdf update list. So i think it's been integrated into the latest engine(7.03.1.47)

    If I read/write emails as plain text, will my machine get infected?


    Jotti table removed - If\when vendors receive samples they will act on this item according to the priority they deem necessary.
     
    Last edited by a moderator: Apr 1, 2007
  14. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Mele.,

    When I mentioned the above to a friend she went to the site but somehow ended up downloading a free version of something which was 38 MB's - can you please advise if she has missed the patch and what this 38 MB's might be ?

    When I go there I don't want to install something if it's not necessary, apparently she had to register before downloading whatever it is.

    TIA.
     
  15. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Scroll down almost to the bottom, it should be 961 kB.

    Gerard
     

    Attached Files:

    • ani.gif
      ani.gif
      File size:
      769 bytes
      Views:
      390
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Mele, it,s OT but I saw u still using Antivir, what about floppy drive issue?
     
  17. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    OT:
    The floppy drive sent by Dell was DOA. Dell has sent another but the tech and I couldn't get together when it arrived Friday so I probably cannot test Avira with the new floppy drive until next Wed or Thurs whichever day it gets installed.
     
  18. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Yes, I have the update and Avira has several pages about it but mostly in German and Google translation leaves much to be desired. Plus, Avira has some misleading information up indicating that the MS patch from 2005 will patch this also. I think they were so busy getting the definition out and engine updated that they haven't had time to fix the info pages very well. I mentioned this at the Avira forum a few minutes ago.

    Why is Avira using the name of the older, similar exploit? Kinda of confusing.

    Avira got this out just in time. Have you guys seen this https://www.wilderssecurity.com/showthread.php?t=170459

    The OP went to a normal site "Gamespot" and got infected with ANI. :(
     
  19. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
  20. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Anyone has link to some proof-of-concept or at least a real one? I would like to try it.
     
  21. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    You can go to http://zert.isotf.org/tests/testani.htm to test. Fx will pass. IE should crash. If your AV is protecting you will get an alert from it about detecting a trojan in some jpeg files in your temp folder.
     
  22. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Thanks. Well, my IE crashed after all. :'(
     
  23. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    That is interesting. I see you have IE 7 and Vista. I have IE 6 and XP Pro SP2 and IE did not crash and the test page said I was invulnerable but Avira popped up and said it found a trojan in the TIF. So, I am not invulnerable. I don't know why the test page says that and I am surprised IE didn't crash. I do use the Proxomitron and that might have provided partial protection...enough to keep IE from crashing but not from downloading the nasty. Actually, crashing as yours did is probably better because there was no nasty file download like with IE6.
     

    Attached Files:

  24. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    LinkScanner Pro stopped it for me.

    Microsoft planned a patch for tomorrow april 3.


    Gerard
     
  25. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    For those of you who installed the Eeye Patch:

    Gerard
     
Loading...
Thread Status:
Not open for further replies.