Friday, March 30, 2007 5:09 PM cmosby

SANS Internet Storm Center - Windows Animated Cursor Handling vulnerability - CVE-2007-0038 - Updated

 

Windows Animated Cursor Handling vulnerability - CVE-2007-0038

Published: 2007-03-29,
Last Updated: 2007-03-30 21:40:50 UTC
by Maarten Van Horenbeeck (Version: 10)

Microsoft has released advisory 935423 regarding a vulnerability in Windows Animated Cursor Handling. A bug in the way Windows renders  animated cursor files can allow execution of arbitrary code under the privileges of the user that downloaded the malicious file. CVE-2007-0038 (previously also CVE-2007-1765) has been assigned to this vulnerability
Affected are Win2k SP4, XP SP2 (but not SP0 and SP1), Server 2003 and Vista. While Animated cursors are usually downloaded as .ani files, blocking these files is not sufficient to mitigate the vulnerability. We have received reports of this vulnerability being exploited in the wild using files renamed to jpeg.
McAfee has a blog entry up on this. They also have a second blog entry with a video showing windows explorer crashing in a loop on windows vista when dropping a malicious animated cursor on the desktop. Trend Micro is reporting here on malicious .ANI files and related links being spread over the web and through e-mail that attempt to download a trojan executable WINCF.EXE.

Mitigation:

  • Microsoft is reporting that users of Internet Explorer 7 with Protection Mode are protected from active exploitation.
  • E-mails opened in plaintext will not show embedded ANI files. Note that HTML attachments can still be interpreted when separately clicked upon.  [Thunderbird | Outlook & 2.0].
  • Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. One specific file was also discovered by a product triggering on a signature written for MS05-002, a similar vulnerability from 2005. This will not apply to most exploits in the wild.

Recent mitigation updates:

  • Microsoft has now confirmed that:
    • Outlook 2007 users are protected (as the tool uses Word to display HTML messages);
    • Users of Windows Mail on Vista are protected if they do not forward or reply to malicious e-mail;
    • Outlook Express users remain vulnerable even when reading e-mail as plaintext.
  • Eeye has released an unofficial patch that you may wish to consider

The vulnerability has been added to our missing microsoft patches table.

References:

CVE 2007-1765 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1765

A good write-up and analysis of one ani exploit in action:
http://www.mnin.org/write/ani-notes.pdf
Arbor Network's write-up:
http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Filed under: , , , ,

Comments

No Comments