copyright | disclaimer | privacy | contact

HOME   About AusCERT   Membership   Contact Us   PKI Services   Training   Publications   Sec. Bulletins   Conferences   News & Media   Services   Web Log   Site Map   Site Help   Member login Login »  Become a member »   Home » AusCERT N... » AL-2007.0038 -- [Win] -- Microsoft Windows Animated ...   AL-2007.0038 -- [Win] -- Microsoft Windows Animated Cursor vulnerability Date: 04 April 2007 References: AU-2007.0010  AU-2007.0011  AU-2007.0012  ESB-2007.0255   Click here for printable version -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== A U S C E R T A L E R T AL-2007.0038 -- AUSCERT ALERT [Win] Unpatched Microsoft Windows Animated Cursor vulnerability 4 April 2007 =========================================================================== AusCERT Alert Summary --------------------- Product: Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Operating System: Windows Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2007-0038 Ref: AU-2007.0012 AU-2007.0011 AU-2007.0010 Original Bulletin: http://www.microsoft.com/technet/security/advisory/935423.mspx http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx Revision History: April 4 2007: Microsoft release patches and added CVE name. March 30 2007: Microsoft re-released their bulletin clarifying the information relating to Outlook Express mitigation March 30 2007: Initial Release OVERVIEW: On March 29 2007 Microsoft issued Security Advisory (935423) [1] describing a vulnerability in the handling of Animated Cursor (.ani) files by various versions of Microsoft Windows. This remained unpatched for several days until April 3, when patch correcting this vulnerability was released by Microsoft. IMPACT: A malicious animated cursor file may cause a buffer overflow, resulting in the execution of arbitrary code with the rights of the current user. Computers may be compromised when a user receiving a malicious email attachment, visiting a malicious web page or browsing to a malicious file in windows explorer. There are several confirmed reports of the active exploitation of this vulnerability [2][3][4] to install Trojan Horse malware. MITIGATION: Microsoft released a patch and a security bulletin [5] addressing this vulnerability on the 3 April 2007. Microsoft state in their advisory that because of Internet Explorer protected mode, IE 7 running on Vista is not vulnerable to this attack. Microsoft has confirmed that configuring Outlook to display email in plain text is a mitigation strategy. However, this mitigation strategy is not effective in Microsoft Outlook Express [6]. Due to Internet Explorer's MIME sniffing functionality a malicious file is not required to have a .ani extension in order to successfully exploit this vulnerability. Administrators should consider this when implementing web filters to mitigate this vulnerability. Several anti-virus products will detect some variants of malicious files exploiting this vulnerability. Therefore, AusCERT recommends that users and administrators ensure they are using up to date anti-virus definitions. REFERENCES: [1] Microsoft Security Advisory (935423) http://www.microsoft.com/technet/security/advisory/935423.mspx [2] McAfee - Exploit-ANIfile.c http://vil.nai.com/vil/content/v_141860.htm#tab7 [3] TrendMicro - TROJ_ANICMOO.AX http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX [4] SANS Handler's Diary: Windows Animated Cursor Handling vulnerability http://isc.sans.org/diary.html?storyid=2534 [5] Microsoft Security Bulletin MS07-017 http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx [6] Vulnerability Note VU#191609 - Microsoft Windows animated cursor ANI header stack buffer overflow http://www.kb.cert.org/vuls/id/191609 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRhLeCyh9+71yA2DNAQJKqgP/RMJs7E+aqATO2kbXdJW1oyVdIQ2CuxhX 6yGp1lR6+BIYgE9vW2HKUPYANqbhmbVFpnwIAVT4N3BCiT9a28LIyNNc643rMXv5 XXRDqmQVRhPyhU5bPz5ot6FZXHXXR83W9SdKf+E+wUqTGDhoQnHCks/Ek9rrFKyz wRrvNV1iCpk= =JbbW -----END PGP SIGNATURE-----

Comments? Click here http://www.auscert.org.au/render.html?cid=2998&it=7431