…Microsoft has released advisory 935423 regarding a vulnerability in Windows Animated Cursor Handling. A bug in the way Windows renders animated cursor files can allow execution of arbitrary code under the privileges of the user that downloaded the malicious file. CVE-2007-0038 (previously also CVE-2007-1765) has been assigned to this vulnerability.
Affected are Win2k, XP, Server 2003 and Vista (UPDATED). While Animated cursors are usually downloaded as .ani files, blocking these files is not sufficient to mitigate the vulnerability. We have received reports of this vulnerability being exploited in the wild using files renamed to jpeg… [4]
| Bulletin | KB number | Description | Severity | Impact | Software |
|---|---|---|---|---|---|
| – | – | Animated Cursor Handling (ANI) exploit | Remote Code Execution | Critical | Windows |
… From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of proof-of-concept code. In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday April 3, 2007… [1]
This has resulted in MS scheduling an out-of-sequence patch;
On Tuesday 3 April 2007 Microsoft is planning to release: [3]
Security Updates
- One Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
How are you exploited?
If you open up a folder with Explorer (not Internet Explorer) that has a malicious .ANI file (file-extension matters in this case) it will exploit the system. At least automated processes won’t trigger execution (unlike WMF.) (US-CERT Advisory) [7]
How much protection do we have in place?
# E-mails opened in plaintext will not show embedded ANI files. Note that HTML attachments can still be interpreted when separately clicked upon. [Thunderbird | Outlook & 2.0].
# Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files.
… [4]
…
[1] Latest on security update for Microsoft Security Advisory 935423 (2007-04-01) [MS Security Blog]
[2] *Microsoft to Release Out-of-Schedule Patch for ANI Vulnerability (2007-04-02) [SANS]
[3] Microsoft Security Bulletin Advance Notification (2007-04-01) [MS]
[4] Windows Animated Cursor Handling vulnerability – CVE-2007-0038 (2007-03-29) [SANS]
[5] Microsoft Security Advisory (935423) – Vulnerability in Windows Animated Cursor Handling (2007-03-29) [MS TechNet]
[6] Unpatched Drive-By Exploit Found On The Web (2007-03-28) [McAfee Blog]
[7] ANI: It Gets Better (2007-03-31) [SANS]
[8] AL-2007.0038 — [Win] — Unpatched Microsoft Windows Animated Cursor vulnerability (2007-03-30) [AUSCERT]
[9] AU-2007.0011 — AusCERT Update – [Win] – New worms exploiting the Animated Cursor vulnerability (2007-04-02) [AUSCERT]
