Friday, March 30, 2007 11:23 AM cmosby

Symantec Security Response Weblog: Cursors and Icons and Exploits—Oh My!

 

Cursors and Icons and Exploits—Oh My!

Microsoft has released an out-of-band advisory today for a new exploit targeting a vulnerability in the way that Microsoft Windows handles animated cursor (.ani) files.

The vulnerability is caused by insufficient format validation, prior to rendering cursors, animated cursors, and icons. If successfully exploited, it will allow an attacker to perform remote code execution on the victim machine. In order to carry out an attack, the attacker would need to convince potential victims to either visit a Web site that contains a Web page that is used to exploit the vulnerability, or view a specially crafted email message or email attachment. The attacker could enable an affected system to execute code once a user has viewed a malicious Web page, previewed or read a specially crafted message, or opened a specially crafted email attachment.

While it is similar to the vulnerability described in Microsoft Security Bulletin MS05-002, this is an entirely new vulnerability. Currently, there is no patch available from Microsoft; however, according to Microsoft's advisory the following workaround will help to block potential attack vectors. From their advisory:

"Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Outlook Express 6 SP1 or a later version, to help protect yourself from the HTML e-mail preview attack vector."

Users of Symantec products are already protected from this threat. So far, Security Response has received only a handful of submissions of the exploit. Currently, all samples have been detected as either Downloader or Trojan.Anicmoo. The submitted files are generally .ani files from malicious Web sites that have been renamed with a .jpg extension. Users are advised to ensure they have the latest security updates installed; this will help them mitigate the vulnerability until a patch is available from Microsoft. Additionally, Symantec is advising that users should avoid opening email messages from unknown or untrusted sources.

Posted by Andy Cianciotto on March 29, 2007 04:40 PM

Source: Symantec Security Response Weblog: Cursors and Icons and Exploits—Oh My!

Filed under: , , ,

Comments

No Comments