Slashdot Log In
Windows Vulnerability in Animated Cursor Handling
Posted by
Zonk
on Fri Mar 30, 2007 08:43 AM
from the mind-those-hilarious-icons dept.
from the mind-those-hilarious-icons dept.
MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."
Related Stories
[+]
MS Plans Emergency Update to Fix .ANI Bug 109 comments
A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."
[+]
Windows .ANI Problem Surfaced Two Years Ago 110 comments
An anonymous reader writes "There's a new twist to the tale of Windows .ANI exploit, that's been in the news all week (including when a spam campaign used the teaser of nude Britney Spears pictures to lure people to malicious sites). InformationWeek reports the Windows .ANI bug at issue first surfaced — and was patched — two years ago, in early 2005. 'If they had simply looked for other references for the same piece of code when they originally dealt with it a few years ago, they would have found this and patched it in 2005,' says Craig Schmugar of McAfee. 'It would have saved a whole lot of people a lot of time, money and effort.' Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking."
Offsite: BBC Coverage
This discussion has been archived.
No new comments can be posted.
Windows Vulnerability in Animated Cursor Handling
|
Log In/Create an Account
| Top
| 338 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
First Pwndst (Score:2, Insightful)
Re:First Pwndst (Score:4, Insightful)
Re:First Pwndst (Score:5, Interesting)
Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.
You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.
Re:First Pwndst (Score:4, Interesting)
The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.
Re:First Pwndst (Score:5, Interesting)
(http://slashdot.org/)
Why would my cursor run as root? (Score:5, Insightful)
Re:Why would my cursor run as root? (Score:5, Insightful)
Re:Why would my cursor run as root? (Score:5, Funny)
Successful.
Re:Why would my cursor run as root? (Score:5, Funny)
(Last Journal: Tuesday August 07, @01:18PM)
"In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user consent." -- From the Windows Vista: Features Explained site.
Unless of course the user has been driven insane by all the "Cancel or Allow?" questions and would readily click "Allow" even in a dialog box asking, "Your computer would like to strangle you with its power cord. Cancel or Allow?"
Re:Why would my cursor run as root? (Score:5, Insightful)
Re:Why would my cursor run as root? (Score:4, Interesting)
(http://emiboston.com/)
Re:IE protected mode (Score:4, Interesting)
Re:Why would my cursor run as root? (Score:4, Informative)
(http://www.goodwyn.net/)
It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".
Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.
Re:Why would my cursor run as root? (Score:5, Informative)
Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.
Re:Why would my cursor run as root? (Score:4, Insightful)
- Internet Explorer 7 [secunia.com]
- Firefox 2.x [secunia.com]
- Opera 9 [secunia.com]
Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway? If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been. It already haven't been. The guys who found the exploit say [determina.com] that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem. It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?
HOW? Because, you know, your very own [microsoft.com] security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)! Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.Re:Why would my cursor run as root? (Score:5, Insightful)
http://www.checkpoint.com/defense/advisories/publ
But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.
Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.
LoB
Surprise, Windows Listed as Most Secure OS (Score:5, Funny)
(Last Journal: Friday February 23 2007, @12:36PM)
Re: Surprise, Windows Listed as Most Secure OS (Score:5, Funny)
(Last Journal: Saturday May 31 2003, @11:19AM)
Pfff. Locked in a vault? (Score:5, Funny)
(Last Journal: Tuesday August 07, @01:18PM)
Good heavens... (Score:4, Funny)
This old? (Score:5, Insightful)
Re:This old? (Score:5, Insightful)
(http://seenonslash.com/ | Last Journal: Friday May 11 2007, @04:02PM)
Re:This old? (Score:5, Insightful)
Re:This old? (Score:4, Informative)
Re:This old? (Score:4, Informative)
(http://dr-tools.sourceforge.net/ | Last Journal: Tuesday January 23 2007, @10:27AM)
So, their problems with animated cursors are really old, back to the NT 4 era.
Oblig. (Score:3, Funny)
(http://zlogic.da.ru/)
goddam hackers (Score:1)
I mean, why the hell should you care about how crash your application if you feed it by parameter that should not even happen in a goddam icon animation program !
It's like asking people to live in bunkers in the real world.....
Something really needs to be done about those people. They really have a too good time abusing people when they can be catched because they live in another country its too easy
catchpa:disarm...
Re:goddam hackers (Score:5, Informative)
(http://tsfraser.googlepages.com/index.html)
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.
The concept is simple actual practice is hard.
A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.
Re:goddam hackers (Score:5, Insightful)
(http://honeypot.net/ | Last Journal: Friday April 07 2006, @09:33AM)
I was going to try to be calm and rational about this, but screw it.
It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).
You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.
Seriously. Quit before you break something.
Re:goddam hackers (Score:4, Funny)
The Solution is Amazing (Score:5, Funny)
(http://www.newsique.com/)
Nice, so basically I'm not supposed to read any emails from people I don't know. Sounds like a viable solution.
Re:The Solution is Amazing (Score:5, Funny)
(http://www.restorationunity.com/ | Last Journal: Tuesday July 05 2005, @08:12AM)
Vista Security. (Score:2)
(http://tsfraser.googlepages.com/index.html)
Re:Vista Security. (Score:5, Funny)
Nope. I watched their lips and every time they said, "Vista will be the most secure Microsoft operating system ever."
I think this was carefully worded by them so they could say it with an honest face.
Only affects rendering using the IE engine... (Score:5, Interesting)
Why does it get to be this bad? (Score:4, Insightful)
(Last Journal: Wednesday October 31, @08:33AM)
Some stupid consumer protection council reports that some part of some toy can come apart and present a choking hazard to children. "As many as 3 children could have died over the last 10 years because of this!" Suddenly all news organizations act as though the sky has fallen, and on slow news day, it is even the lead story! Here we have a hazard that could get your machine rooted and pwned and steal your password and sell it in the organized crime networks, ... and the world reacts with a collective shrug.
Sorry, for the rant, I know I am preaching to the choir, just need to get it off my chest.
Re:Why does it get to be this bad? (Score:5, Funny)
Even if you're a programmer, you're still out of your league on this one. Only a plumber could understand the series of tubes that make up the Internet.
What kind of mouthbreather would even... (Score:5, Funny)
What's to investigate? (Score:3, Informative)
(http://booktextmark.mozdev.org/)
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. - I can give an advice even without an expensive investigation. Do not use MS IE, do not use MS Outlook, do not allow animated anything on your desktop and probably the best thing to do is to finally just plain not to use MS, but in many cases it is not an option.
Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed. Turn off all animations, turn off 'show content while dragging window' option, switch to 'classic' look for the look of the Explorer, make sure that there are no thumbnails, switch to 'details' in the Explorer, make sure to show extensions on all files, make sure to apply to all folders and turn of 'Remember each folder settings' option.
I am not certain that this will prevent this particular problem, but not using IE and Outlook most likely would (while using other email clients do not allow active content to execute and do not trust attachments ever.) It's a real pain, it would be much better to run MS Windows in a virtual machine on GNU/Linux (VMWare I suppose.)
Re:What's to investigate? (Score:5, Insightful)
(http://www.cnycomputerservice.com/)
That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X.
You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.
Displaced Hot Spot (Score:2)
Criminals using this vulnerability ? (Score:5, Funny)
" So, ANI are you ok ? Are you ok ANI ?
You've been hit by... you've been hit by... a smooth criminal ! "
A workaround for this... (Score:5, Funny)
I use the comet cursor package that installed itself automatically when I browsed the web.
It has some great cursors and loads of other features that make using Windows far more entertaining.
I have not been able to remove or alter the comet cursor package since it installed itself, so I think it will protect very well against other cursors getting installed on my computer.
Oh So Happy It's Thurday... (Score:1)
(http://slashdot.org/~wowbagger/journal/87552 | Last Journal: Monday September 03, @08:07PM)
Oh
So
Happy
It's
Thursday
moment again.
I can hear Ballmer screaming... (Score:5, Funny)
Not today (Score:1)
Windows Vulnerability in Antimater Containment (Score:1, Offtopic)
(Last Journal: Tuesday February 06 2007, @09:13AM)
Solution: "You are trying to move the mouse..." (Score:5, Funny)
In other news... (Score:1)
(http://home.primus.ca/~ronsharp/tororg.html)
Stop the animated scrolling up and down (Score:2)
(http://www.cybergrass.com/ | Last Journal: Sunday December 31 2006, @01:24PM)
Caution (Score:5, Informative)
(http://www.alioth.net/ | Last Journal: Friday November 09, @03:53PM)
http://www.secureworks.com/research/threats/gozi/ [secureworks.com]
This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.
This doesn't include all cursors... (Score:2)
(http://www.devinmoore.com/ | Last Journal: Thursday May 24, @06:16AM)
Is there nothing that can't be exploited in MSWin? (Score:2)
IE loads animated cursors via CSS (Score:5, Informative)
body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">
You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified
I am almost positive there is no way to disable this in IE.
Re:IE loads animated cursors via CSS (Score:5, Informative)
Un-fragging-believable! (Score:5, Insightful)
If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.
If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.
The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?
I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .
Another stupid buffer overflow... (Score:2)
Any use of a stack-based static-sized buffer should have thrown up huge red flags during code review. To have unchecked use of a static buffer make its way into production code is inexcusable in this day and age, particularly at Microsoft.
Buffer overflows (Score:2)
(http://slashdot.org/ | Last Journal: Wednesday April 28 2004, @12:34PM)
Why doesn't the no execute bit fix this?
Ah yes (Score:3, Insightful)
(http://www.loconet.ca/)
I tried to give MS some feedback on their advisory (Score:1)
So I thought I'd do MS a favour and give feedback for the first time ever.
How would you rate the usefulness of this content ?
(I picked 'Poor'.)
Tell us why you rated the content this way. (optional)
1. Insufficient explanation on how to avoid problem.
2. Insufficient explanation on who is vulnerable: I don't use IE, Outlook, Outlook Express, Media Player; I don't use animated cursors - am I vulnerable? If so, through what path? Are responsibly and competently built Web browsers and mail clients (e.g. Firefox, Opera, Thunderbird) vulnerable? How?
3. Weasel words on 'specially crafted' Web pages and emails. Don't imagine this kind of misleading garbage makes you look any better. If you can't say something useful, don't say anything.
It said:
Please limit comments to 256 characters.
Nick
Arbitrary Code? (Score:1)
I doubt it would be arbitrary code.
I'll bet it would be some specific code the bad guys want to run.
FWIW.
Molecular Mechanic
Don't worry ! (Score:4, Insightful)
RTMF (Read The Mitigating Factors) !:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
See, much ado about nothing !:
- the attacker would have to host a web site [surely, they couldn't, could they !]
- the attacker could compromise a web site [probably they would not know how to, would they !]
- the attacker has no way to force the user to visit a specific website [see !]
Especially the latter gave me complete relief and peace of mind ! I can't be forced, that means I am as good as safe ! Yahoo !
- the attacker would need to persuade us [just told my wife not to answer the phone or door bell]
Not running my web browser as administrator [I don't] seriously limits the potential damage, thanks to Vista's unique feature of unprivileged user accounts.
Thanks, Microsoft, for an informative advisory; and a comprehensive and clear list of mitigating factors !
Thanks, Microsoft, for debunking so-called "extremely critical" vulnerabilities as myth, again !
hot spot misdirection (Score:1)
obligatory haiku (Score:2)
(http://www.dappergeek.com/)
your vista features amaze!
where is my O/S?
Boy... (Score:4, Funny)
Mitigating Factors for Animated Cursor Vulnerability
Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.
By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.
I think the important thing here to note is that MS is actually delivering on it's promise to deliver a more secure OS and set of applications for users.
Third party patch ... eEye (Score:2)
(Last Journal: Friday September 01 2006, @04:53PM)
The patch blocks the loading of cursors from directories other than those below the Windows base directory. Source included.
BBC says you are saved if you use IE7 on Vista. (Score:1)
(http://goxadidi.dk/)
status quo (Score:2)
Vista = Blanket Security only. (Score:1)
(http://www.myspace.com/ronpaul2008)
Microsoft has taken a position not to evaluate that code and make it more secure, instead they have introduced blanket, catch all, security measures. Firewalls, Stack Protection, Authorize Dialogs, protected processes etc. So what you basically have is a very insecure OS covered up by a security layer.. This is not a secure OS, a Secure OS does not need a protective layer wrapped around it, a secure OS does not need a firewall, why? because its internally secure without it.
The same people who are saying the catch phrase line "Microsoft did a pretty good job with Vista" are the same people who said the same thing about XP and 2k and NT. I remember hearing it.. "I think Microsoft did a pretty good job with Windows XP." That means they accept that its flawed, and there is risk running it, but they don't want to acknowledge it?
Firefox is also vulnerable to this Windows flaw (Score:1)
(Last Journal: Thursday April 05 2007, @08:55AM)
All hail (Score:2)
(http://www.leap.cc/ | Last Journal: Monday September 10, @08:19PM)
If you can't trust your cursor ... (Score:2)
(http://mentalradiation.wordpress.com/ | Last Journal: Wednesday August 15, @07:52PM)
There is an exploit in the wild (Score:1)
Comet Cursor.
Re:oldie but goodie (Score:1)
(http://the-timing.nl/)
Re:what about a vulnerability in Clippy? (Score:2)
Re:oldie but goodie (Score:2)
I don't recall exactly what this current exploit does so if someone knows, please chime in. IIRC, they are related in the fact that it is the mouse handler( ya know that's gotta be a huge codebase
LoB
Re:DOH! (Score:2)
Welcome to Windows Vista my friend.