-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2007.0038 -- AUSCERT ALERT
                                   [Win]
         Unpatched Microsoft Windows Animated Cursor vulnerability
                               4 April 2007

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Microsoft Windows Vista
                      Microsoft Windows Server 2003
                      Microsoft Windows XP
                      Microsoft Windows 2000
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-0038

Ref:                  AU-2007.0012
                      AU-2007.0011
                      AU-2007.0010

Original Bulletin:   
http://www.microsoft.com/technet/security/advisory/935423.mspx
http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

Revision History:     April 4 2007:  Microsoft release patches and added 
                                     CVE name.
                      March 30 2007: Microsoft re-released their bulletin 
                                     clarifying the information relating to 
                                     Outlook Express mitigation
                      March 30 2007: Initial Release


OVERVIEW:
        
        On March 29 2007 Microsoft issued Security Advisory (935423) [1] 
        describing a vulnerability in the handling of Animated Cursor 
        (.ani) files by various versions of Microsoft Windows. This 
        remained unpatched for several days until April 3, when patch 
        correcting this vulnerability was released by Microsoft.


IMPACT: 

        A malicious animated cursor file may cause a buffer overflow, 
        resulting in the execution of arbitrary code with the rights of the 
        current user.

        Computers may be compromised when a user receiving a malicious email 
        attachment, visiting a malicious web page or browsing to a malicious 
        file in windows explorer.

        There are several confirmed reports of the active exploitation of 
        this vulnerability [2][3][4] to install Trojan Horse malware.


MITIGATION:

        Microsoft released a patch and a security bulletin [5] addressing
        this vulnerability on the 3 April 2007.
 
        Microsoft state in their advisory that because of Internet 
        Explorer protected mode, IE 7 running on Vista is not vulnerable to 
        this attack.

        Microsoft has confirmed that configuring Outlook to display email 
        in plain text is a mitigation strategy. However, this mitigation
        strategy is not effective in Microsoft Outlook Express [6].

        Due to Internet Explorer's MIME sniffing functionality a malicious 
        file is not required to have a .ani extension in order to 
        successfully exploit this vulnerability. Administrators should 
        consider this when implementing web filters to mitigate this 
        vulnerability.

        Several anti-virus products will detect some variants of malicious 
        files exploiting this vulnerability. Therefore, AusCERT recommends 
        that users and administrators ensure they are using up to date 
        anti-virus definitions.


REFERENCES:

        [1] Microsoft Security Advisory (935423)
            http://www.microsoft.com/technet/security/advisory/935423.mspx

        [2] McAfee - Exploit-ANIfile.c
            http://vil.nai.com/vil/content/v_141860.htm#tab7

        [3] TrendMicro - TROJ_ANICMOO.AX
            http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX

        [4] SANS Handler's Diary: Windows Animated Cursor Handling vulnerability 
            http://isc.sans.org/diary.html?storyid=2534

        [5] Microsoft Security Bulletin MS07-017
            http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

        [6] Vulnerability Note VU#191609 - Microsoft Windows animated cursor 
            ANI header stack buffer overflow
            http://www.kb.cert.org/vuls/id/191609

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRhLeCyh9+71yA2DNAQJKqgP/RMJs7E+aqATO2kbXdJW1oyVdIQ2CuxhX
6yGp1lR6+BIYgE9vW2HKUPYANqbhmbVFpnwIAVT4N3BCiT9a28LIyNNc643rMXv5
XXRDqmQVRhPyhU5bPz5ot6FZXHXXR83W9SdKf+E+wUqTGDhoQnHCks/Ek9rrFKyz
wRrvNV1iCpk=
=JbbW
-----END PGP SIGNATURE-----