M$ Animated Cursor Exploit ..... Pt 1

[RadioPatrol]

This is long and some what technical ...........

Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
Published: March 29, 2007

Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
General Information

Overview

Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability. For more information see the “Workarounds and Mitigations” and “Suggested Actions” section of the security advisory.

Advisory Status: Issue Confirmed, Security Update Planned

Recommendation: Do not visit untrusted websites or view unsolicited email

This advisory discusses the following software.
Related Software

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 2

Microsoft Windows Server 2003

Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Vista

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting Animated Cursor, a component of Microsoft Windows. This affects the software that is listed in the “Overview” section. It is similar in scope to other Animated Cursor issues.

Is this a security vulnerability that requires Microsoft to issue a security update?
Yes.

What causes this threat?
The threat is caused by insufficient format validation prior to rendering cursors, animated cursors, and icons.

What does this feature do?
Animated cursors are a feature that allows a series of frames, one after another, to appear at the mouse pointer location instead of a single image, thus producing a short loop of animation. The Animated Cursors feature is designated by the .ani suffix.

What might an attacker use this function to do?
An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.


Mitigating Factors for Animated Cursor Vulnerability
Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In other words your PC will be Owned once exploited the cracker could run code, programs, install Trojan's ie Back doors .......

Workarounds for Animated Cursor Vulnerability

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Outlook Express 6 SP1 or a later version, to help protect yourself from the HTML e-mail preview attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.

Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
The changes are applied to the preview pane and to open messages.
Pictures become attachments so that they are not lost.

Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

 

[RadioPatrol]

M$ Animated Cursor Exploit ....... Pt 2

Suggested Actions

Protect Your PC

We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.

For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.

Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.

All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.

We recommend that customers exercise extreme caution when they accept file transfers from both known and unknown sources. For more information about how to help protect your computer while you use MSN Messenger, visit the MSN Messenger Frequently Asked Questions Web site.

Keep Windows Updated

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Resources:
You can provide feedback by completing the form by visiting the following Web site.
Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.

The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:
March 29, 2007: Advisory published

Gee Ya Notice How MS Never Accepts Responsibility for Anything ......... Keeping Windows updated ......... kinda hard since there is no patch yet .....

 

[mindgasm]

There are some other factors that have been strategically left out of the advisory.

Firefox users are not affected by the vulnerability. The vulnerability relies on Internet Explorer's access to install and run files to which it should not have access. IE6 and IE7, running on operating systems through Windows XP SP2, are vulnerable. IE7 on Vista is not vulnerable, since IE7 runs in protected mode on Vista.

Outlook is still vulnerable, since it relies on the IE engine for rendering. It has been verified that emails viewed/previewed in plaintext are not vulnerable. While not verified, it stands to reason that rich text would also be safe, as it doesn't rely on the IE rendering engine. So far, it appears that Thunderbird email client are not vulnerable, as they do not use the IE rendering engine.

The third potential exposure is through an executable file that comes as an attachment. This REALLY shouldn't be an issue.

Finally, while most animated cursors come as .ani files, this vulnerability is not limited to them. Apparently, the exploit can also be spread using the jpeg format, as well as others.

What irks me the most is that MacAfee announced the exploit on Wednesday, and informed Microsoft. Microsoft waited until LiveCare was updated, before acknowledging the exploit. Also, this is not the first animated cursor exploit. Another existed in January 2005. Some test files which were designed for that exploit, also can trigger this new exploit.

This has the potential to make tomorrow very unfun.

 

[RadioPatrol]

There are some other factors that have been strategically left out of the advisory.

Firefox users are not affected by the vulnerability.

Yep 110% Correct - Of course M$ Would leave that out ..........

I use Firefox for all my web Browsing ....... and have not opened Outlook in years ... all my mail is web based, of course companies don't get this luxury

Ah the world would be so much better on Macs ........

the drive by hit is the worst, because most ppl by default use Internet Exploiter


M$ <------

 

[mindgasm]

Actually, we are in the middle of rolling out Outlook Web Access for our users. Combine web acess with the familiarity of Outlook, and it reduces a lot of headaches. More importantly, it works in Firefox and Opera.

I recognize Macs are a solid platform, but I have no interest in them. I am slowly in the process of moving over to Ubuntu, and so far it is working nicely.

 

[RadioPatrol]

Actually, we are in the middle of rolling out Outlook Web Access for our users. Combine web acess with the familiarity of Outlook, and it reduces a lot of headaches. More importantly, it works in Firefox and Opera.

I recognize Macs are a solid platform, but I have no interest in them. I am slowly in the process of moving over to Ubuntu, and so far it is working nicely.

Ubuntu is a good thing, i loaded PCLinuxOS here on an old Dell GX1 to play with .... of course since i remodeled my computer Room, I need to find a place to put the box back up ...........

I have used Macs since 1988, and PCs since 1995 .... and work the IT Industry since 2000 when I got out of the Blue Collar Trades ( Plumber, Electrician, Automotive Work ) .........


OWA is nice I had several customers that loved it for checking email from home or on Travel ..........

 

[RadioPatrol]

http://isc.sans.org/diary.html?storyid=2534&dshield=4a9058b3b27bec39517b255884c25591