- Jan 17, 2006
- 375
- 0
- 0
http://blogs.zdnet.com/security/?p=143
Looks like this vulnerability has been around for SEVERAL months! So, what do you Vista users have to say now, huh? Looks like all that cockiness has finally caught up to all of you.
http://www.cbc.ca/technology/story/2007...edcursorflaw-20070330.html#skip300x250
That sucks. Oh well. I don't use Windows anyway.
A private security research outfit says it notified Microsoft about the animated cursor (.ani) code execution vulnerability since December 2006, a full four months ahead of yesterday?s discovery of Internet Explorer drive-by attacks.
According to Alexander Sotirov, chief reverse engineer at Determina, his research team discovered and reported the flaw to Microsoft last December. On January 3, 2007, Microsoft reserved CVE-2007-0038 to use in its security bulletin.
So far this year, Microsoft has shipped 16 bulletins to fix a wide swathe of software vulnerabilities, but the animated cursor bug remains unpatched.
A Redmond spokesman confirmed that Determina responsibly disclosed the details of this flaw since last year. ?We have been working with Determina since their report in December to investigate the issue and develop a comprehensive update to address the issue,? the spokesman said.
So, why has it taken so long to provide protection to Windows users? Microsoft explains:
Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the ****** knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.
Meanwhile, Determina warns that the vulnerability is ?trivially exploitable on all versions of Windows, including Vista.
The protected mode of IE7 will lessen the impact of the vulnerability, but shellcode execution is of course still possible. Determina also discovered
that under certain circumstances Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer.
This is a fast-moving story with multiple angles. Here are some important things to pay attention to:
** eEye Digital Security, a research firm that found an almost identical bug in 2005 (see MS05-002), is offering a free third-party patch. eEye?s interim patch comes with source code. This patch is buyer-beware so use at your own risk.
** The only workaround guidance from Microsoft is to read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector. However, reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
** For Users of Outlook Express, using plain text is not an effective mitigation and users should be extremely careful when reading mail from untrusted or malicious sources.
** In addition to IE, e-mail is a nasty attack vector because an attack can be launched silently if the target simply opens a specially crafted HTML message. However, users of Outlook 2007 are at not at risk from the HTML or Preview Pane attack vectors when using Word as their default editor or reading e-mail in plain text. Users of Outlook 2002 (with Office XP Service Pack 1 or a later version) and Outlook 2003 can enable the setting to read mail as plain text to successfully mitigate against attacks using the HTML or Preview Pane attack vectors.
** Mark Miller, director of the ****** (Microsoft Security Response Center) tells me the in-the-wild attacks are still ?very limited and targeted? but this could change quickly because exploit code that gives attackers a roadmap to exploit the flaw is publicly available. If the attacks escalate, Microsoft will consider an out-of-band emergency patch.
** This vulnerability does affect Windows Vista. However, Miller believes there are several mitigations that will reduce the risk for Vista users. These include Internet Explorer 7 in Protected Mode and UAC (User Account Control) which gives the user a pop-up warning ahead of an exploit. This is the first in-the-wild exploit that?s available for Windows Vista.
** The SANS Internet Storm Center has published a list of hostile domains hosting drive-by exploits.
** WebSense and others have found frightening similarities to the Super Bowl Web site breach earlier this year. This highlights just how widespread this could become if certain high-traffic sites or advertising networks are hijacked and seeded with
Looks like this vulnerability has been around for SEVERAL months! So, what do you Vista users have to say now, huh? Looks like all that cockiness has finally caught up to all of you.
http://www.cbc.ca/technology/story/2007...edcursorflaw-20070330.html#skip300x250
A security flaw in Microsoft Corp.'s Windows software that leaves computers vulnerable to hijack is linked to February's attack on the website of Super Bowl host Dolphin Stadium, researchers say.
In an advisory issued by Microsoft Thursday, the world's largest software maker said it had confirmed that multiple versions of Windows ? including the latest Vista version ? contain a flaw in the way the operating system handles animated cursors or pointers.
The animated cursor files end with the filename extension ".ani" and are sometimes used by software such as Microsoft's Office suite and by website developers to enhance or modify the experience of using the computer. The vulnerability could allow an attacker to take control of a computer.
WINDOWS VERSIONS AFFECTED
Vista
2000 SP4
XP SP2
XP 64-bit v. 2003 for Itanium systems
XP Professional x64
Server 2003
Server 2003 (Itanium)
Server 2003 SP1
Server 2003 SP1 (Itanium)
Server 2003 x64
"In order for this attack to be carried out, a user must either visit a website that contains a web page that is used to exploit the vulnerability or view a specially crafted e-mail message or e-mail attachment sent to them by an attacker," Microsoft researcher Adrian Stone wrote in a post to the company's security blog.
The company noted that it has added the ability to detect the flaw to its Windows Live OneCare security software suite and plans to issue a security update for the operating system.
Security software maker McAfee Inc. researcher Craig Schmugar noted in a post to the company's Avert Labs blog Thursday that an attack on the Dolphin Stadium website in February used the same computer script that is now being used to exploit the animated cursor flaw.
The script that was embedded in the Dolphin Stadium web page ? and thousands of others ? downloaded spyware from a server registered in China, giving attackers full access to a victim's computer.
That sucks. Oh well. I don't use Windows anyway.