Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Microsoft Bug Security

MS Plans Emergency Update to Fix .ANI Bug 109

A feed from The Reg says"Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."
This discussion has been archived. No new comments can be posted.

MS Plans Emergency Update to Fix .ANI Bug

Comments Filter:
  • by Anonymous Coward
    that ANI will be ok.
  • possible workaround (Score:1, Interesting)

    by slyxter ( 609602 )
    Wouldn't setting your own .css file in IE's accessibility options work for this. Just set the .ani to something safe and that should override any website's settings.
    • by _xeno_ ( 155264 ) on Monday April 02, 2007 @11:36AM (#18574505) Homepage Journal

      Yes, but not quite the way you say - you'd want to override the cursor on all elements.

      The CSS override would be fairly simple:

      * { cursor: text !important; }
      /* The next rule returns links to being the little hand cursor: */
      a { cursor: pointer !important; }

      That overrides the cursor on all elements. The !important is important - the user-specified stylesheet is by default overridden by local pages. However, pages can't override !important rules in the user stylesheet.

      However, I have not checked to make sure that using that stylesheet will actually prevent IE from downloading the cursor. For all I know it will still attempt to download the cursor anyway and still be vulnerable.

      • by _xeno_ ( 155264 ) on Monday April 02, 2007 @11:55AM (#18574777) Homepage Journal

        Well, I've had the chance to test it now. Internet Explorer (well, version 6, at least) in fact does download the ANI file anyway even when it's been overridden. I'm guessing it in fact downloads all related CSS resources even if they're never used.

        Unfortunately I can't test if IE is actually vulnerable with the stylesheet in place because I'm behind a firewall that prevents me from getting any of the proof-of-concept files. So if someone else wants to test it, let me know.

      • Don't forget that IE doesn't understand the "pointer" value for "cursor" - use "hand" instead:

        a { cursor: hand !important; }
    • No (Score:4, Informative)

      by Opportunist ( 166417 ) on Monday April 02, 2007 @12:26PM (#18575195)
      It's not just animated cursors, it's EVERYTHING that calls LoadAniIcon See here [zone-h.org] for details (don't worry, not enough details to reproduce it easily, just a pretty neat explanation what's cooking).

      What sends shivers up my spine is that I have a jpeg here that seems to work the same way. Now, how likely is it that a jpeg gets loaded in IE? I have that gut feeling that the WMF trojan storm of last year was a gentle breeze compared to this.

      I have a hunch that this could maybe be the reason why MS is in such a hurry to fix this. And, while I rarely agree with them, I consider this extremely urgent as well. But only because I know now stronger word than urgent.
      • by Bungie ( 192858 )

        Thanks for the link! I've been trying to find a detailed report on the vulnerability since it was first announced. That was exactly what I needed to know!

  • by foxpaws ( 28518 ) <foxpaws@nospaM.neptuneskitchen.com> on Monday April 02, 2007 @11:05AM (#18574015) Homepage
    I'd comment if I could hit the "submit" button with this darned cursor....
    • Re: (Score:2, Funny)

      by Anonymous Coward
      Sorry, my bad. Here, let me hit that button for you...
  • by Frogmanalien ( 521225 ) on Monday April 02, 2007 @11:06AM (#18574039) Homepage
    Doesn't this just make Patch Tuesday more and more irrelevant- that's at least twice (in my memory) that they have had to release a patch "out-of-cycle". I don't give a monkey about cycles, I just want security patches deployed when they have been tested and are available! Big corporates should be using WSUS to manage patching so there's really no excuse for it catch people off guard in the business world, and I'm sure that most consumers think the same as me- fix my computer, and fix it now!
    • In fact, many larger enterprises only do updates quarterly, unless there is known to be a live exploit in the wild that a particular patch fixes. They usually have firewalls, anti-virus and anti-malware technologies in place so that updating quarterly isn't a big deal for the most part.
      • Re: (Score:3, Insightful)

        by Anonymous Coward
        They usually have firewalls, anti-virus and anti-malware technologies in place so that updating quarterly isn't a big deal for the most part.

        Wrong. They think it's not a big deal. But it is. It has been shown, without any surprise to security-conscious people, that there were bots and spamming-bots at several Fortune 500 companies. No matter how many anti-virus and firewall you've got, you're not detecting root-exploit hiding in Windows' kernel and communicating by hiding into seemingly regular http/htt
        • Re: (Score:3, Insightful)

          by rbanffy ( 584143 )
          As a friend of mine once said, "you pay peanuts, you buy monkeys".

          There is little question a Windows administrator costs less than an experienced unix'er (a monkey can push a couple buttons and create a new user, but using adduser takes at least two working neurons), but the real question is if you want to trust your company's information to somewhat trained monkeys.
    • by Anonymous Coward
      the "most secure" OS more than once a month?
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      WSUS doesn't get you out of the huge testing cycle large corps have to do to make sure new patches don't break any of their many custom in-house-built-apps (as well as purchased apps) before they deploy them. The testing is still easier and less time consuming to do in batches. Rolling out the patches with WSUS is the easy part of the deal. Big corps don't give a monkey about some yahoo on /. who doesn't understand what their process is before rolling out patches. They specifically asked MS to do patch t
    • Don't complain now... Microsoft has known about this since December of last year - who knows how long the black hats have been using it?

      I'm upset because I am responsible for users running Windows, and although I have set policy forbidding the usage of IE, I can't enforce it because of Microsoft tying the browser to the OS. I can't imagine the fits CIO's at bigger firms are having right now, and even more so at financial institutions (e.g. Wells Fargo), and then what if you were managing the network for s

      • I'm upset because I am responsible for users running Windows, and although I have set policy forbidding the usage of IE, I can't enforce it because of Microsoft tying the browser to the OS.

        You can still remove I.E. the program while leaving the I.E. rendering engine installed for patching (through I.E. tabs in mozilla or whatnot) without having any real downside effects (programs depending on I.E. still run as they don't use iexplore.exe) I've been doing this for years with XPlite, but you can just as e
    • Spoken like someone who doesn't deploy patches to an Enterprise.

      Do you have any idea the diruption caused by patch deployments even on a monthly cycle? Particularly when reboots are involved?

      I realize this is due to bad design on Microsoft's part... but at least with a monthly, predictable cycle I can work with the business to schedule downtime. That's where "Patch Tuesday" comes in.

      I also realize that managed patching is the way to go... no matter the release cycle. However, we still end up with the same p
      • Want to patch one day per month? Fine. How about one day per year? It's your choice.

        Some would rather not delay. They're not getting THEIR choice.

        Remember, if Microsoft releases a patch every 30 minutes, you can still choose one day per month to apply them all.
  • by Anonymous Coward
    often this happens because some person released a working example
    for windows XP or what not. then a loser or three use this code
    to arm their worms. remember, the worm is written many times over,
    they just wait for 0day. they do not code anything, but cut and
    paste.

    who and where is the code? lets thank them for their hard work :-(
    • I have the source for it here in front of me. It's far from trivial (buffer overflows rarely are). A good working understanding of assembler is the bare basics to start understanding what's going on. At the very least you'll need someone who can stuff your worm code into it (even further away from trivial).

      This ain't some VB code that you copy, paste and alter. We're talking hand crafted assembler injection code here which does differ a lot from application to application. Just because you have a sample tha
  • I seriously thought that this animated cursor vulnerability was an April 1st joke. Lesson learned: with m$, the most unreal jokes become reality...
  • by 8127972 ( 73495 ) on Monday April 02, 2007 @11:16AM (#18574183)
    ... Just release patches when they are ready as opposed to releasing them in groups on "patch Tuesday" as there seem to be an increasing number of zero-day exploits out in the wild. Consider that it took M$ forever to close the zero-day exploits in Office even though there were exploits in the wild and they even warned users about them [slashdot.org] which IIRC was a highly unusual step for them.
    • by ColdWetDog ( 752185 ) on Monday April 02, 2007 @11:38AM (#18574537) Homepage
      No No No No!

      Patch Tuesday is wonderful. That means I can get up Wednesday morning, boot up my wife's PC and not have to deal with "Honey, what's the flashing little shield for again?". And before you ask, yep, it's going to Ubuntu pretty soon. Just got her on Firefox ("where is the blue E thingy now? How come it works different? Did you break the computer again?").

      The good news? She now knows what a BSOD is - although I'm saddened to report that it is likely some annoying little hardware problem rather than being a Windows issue per se. Time for the screwdrivers...

      • by sunwukong ( 412560 ) on Monday April 02, 2007 @12:39PM (#18575381)
        "where is the blue E thingy now? How come it works different? Did you break the computer again?"
        Time for the screwdrivers...


        And by that you mean the alcoholic beverage, right?

        Family tech support: proving S&M tendencies is genetic.
      • Ahh... an anti-Windows zealot shows his true colors... "She now knows what a BSOD is - although I'm saddened to report that it is likely some annoying little hardware problem rather than being a Windows issue per se.". So then, you'd be HAPPY if Windows BSOD'ed for no reason, just so you could jump up and down and point and scream, "SEE??!?!! WINDOWS IS EEEEVIL!!" C'mon. Grow up. If you're married, then you've gotta be at least 16-ish. Instead, you're acting like a 12 year old.
    • by Endo13 ( 1000782 )
      Hey, I'd settle for just having them release patches for zero-day vulnerabilities on the first patch Tuesday following the discovery of the vulnerability. But they can't even manage that.

      However one thing they could do is release patches as an Optional Software update as soon as they're ready, and then move them to High Priority update status on patch Tuesday.
    • by rbochan ( 827946 )
      That's going into your file [slashdot.org]!

  • look at the cute little fat blue dinosaur wobble!

    oh! what gorgeous red prancing pony!

    oooh! a spinning coin, it's magic!

    ha! i like how the fingers tap as they wait, it makes me smile

    wait, what's this?

    V1AGRATEENORGYLOANPREAPPROVEDC1A1SDEARSIRIHAVEALAR GESUMINLAGOSNIGERIA...

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday April 02, 2007 @11:27AM (#18574339)
    Comment removed based on user account deletion
    • It seems that if a small group like ZERT can release a patch in a couple days [isotf.org], a company with purse strings like MS should be able to release a supported patch in less than four months!

      There's a difference between a quick hack and a properly-written and -tested patch. Please don't fall victim to the belief that just because white/grey-hat hackers can do something quickly, they are doing it in a way that is robust enough to work in an enterprise-scale deployment, and comprehensively solves the ro
      • Comment removed based on user account deletion
      • by smash ( 1351 )
        Granted, however my experience is that the larger the organisation, the less efficient and sloth-like it is.

        I've worked for 4 companies of various sizes, and been able to get more done in a 2 person organisation than I can in a 2500 employee company simply because in the 2500 employee company, everything needs to go to committee chaired by idiots who have no idea with regards to the problem in question, no one wants to take responsibility, and no one has the balls to make a decision.

  • by Opportunist ( 166417 ) on Monday April 02, 2007 @11:29AM (#18574379)
    It's a buffer overflow that allows you to execute arbitrary code. Much like the WMF exploit a year ago. But more serious. I have a sample here that opens a program just by browsing (with the explorer) into the directory that contains it.

    Nasty sh.t. Even downloading and wanting to dissect it with some disassembler is already enough to set it off, the moment you use the open dialog of your dis.
    • by shird ( 566377 )
      The WMF 'exploit' was actually 'by design' and supposed to execute code, it was a feature. Originally used to handle cases where an abort or something is required when rendering and the WMF file itself could contain a callback consisting of code to handle it. (I forget the exact details, but its something like that).

      A buffer overflow is something completely different.

      I just don't understand why an internet browser would be attempting to download and parse an .ANI file automatically without prompting the use
      • Actually the WMF exploit was a buffer overflow issue. Yes, it was a bug in the escape function that allows you to pass code, but the actual problem was that the buffer you're writing to was located on the stack (and still is, afaik), and it was not checked whether you try to fill more into it than you should. That's what happens when you let the user set how many bytes he wants to use but offer him a static field to write into. It was bound to happen, if not by malice then by accident.

        I don't understand why
  • by MillionthMonkey ( 240664 ) on Monday April 02, 2007 @11:31AM (#18574427)

    Microsoft's security gnomes have been working round the clock to produce and test a fix and explains the rationale for Redmond's unusual (but far from unprecedented) decision to publish an out-of-sequence fix.
    Dear Microsoft,
    Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
    People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old.
    • by Savage-Rabbit ( 308260 ) on Monday April 02, 2007 @12:16PM (#18575055)

      Dear Microsoft,
      Why did your "security gnomes" not speak up in the first place about such a stupid feature? Why are these things always sneaking in through cursors and screensavers? Are you keeping them busy implementing crap like this in the first place, instead of having security gnomes look at your existing code?
      People will continue to leave Windows in droves because it's getting loaded with troublesome features like this that backfire even for people who aren't using them or aren't aware of them. Nobody is interested in this junk aside from malware writers and teeny boppers, but everyone is exposed to the vulnerabilities in these features anyway nonetheless because they're bundled into the OS. The vast majority of users are not interested in having their stupid mouse cursors animate. And this chronic habit of running code that arrives over the Internet from unknown sources is getting really old.
      Dear Customer,
      Unfortunately a hoard of deranged Mac users has invaded the Microsoft Development Center. They seized the security gnome's cave and their slashdot troll is currently blocking the entrance. Unfortunately, at the time this happened, we had just successfully repelled a massive frontal assault on our development center by a hoard of torch and pitchfork wielding penguins and as a result we were to low on throwing chairs to repel the second assault. We are sorry if this causes you any inconvenience but until the next consignment of hand made throwing chairs arrives from Italy allowing Mr Ballmer to lead us in a fresh asssault to retake the security gnome's cave we will be unable to help you with your problem. Please accept this conciliatory bucket of Microsoft® Fried Penguin drumsticks and a bottle of Microsoft Windows Vista® Kool-Aid free of charge as compensation for any inconvenience this may have caused you.

      Regards

      The Microsoft Support Team.
  • I never did trust that animated peace sign.
  • To Windows Update, same as every day!
  • ...because they're not staring at the blinky cursors, but at the blinky lights on the switches.

    Like, for instance that switch over th...Oooohhh, blinky lights. Pretty.
  • "Widespread exploitation of an unpatched Windows vulnerability involving cursor animation files over the weekend have prompted Microsoft to announce plans to release an out-of-sequence patch on Tuesday MS plans emergency update to fix blinking cursor bug."

    The Reg clearly structured this sentence knowing it would make front page on /.
    • Yes, my mental parser BSODed on that as well. I even tried to put in a period after "Tuesday", but it is still rubbish. Ya know, it wouldn't harm the editors if they just READ the summary, casually even, and post it if they manage to NOT die in agony. By God it is not too much to ask!

      Funnily enough, the April Fools stories were eerily free of error. I wonder if they were trying to say something.
  • Impacted browsers (Score:3, Informative)

    by eraser.cpp ( 711313 ) on Monday April 02, 2007 @11:51AM (#18574729) Homepage
    It should be noted that while both IE 6 and IE 7 are vulnerable in Windows XP, the damage in IE 7 in Vista is quite limited in its default "protected" mode.
    • Re: (Score:2, Funny)

      by Skiron ( 735617 )
      "...the damage in IE 7 in Vista is quite limited in its default "protected" mode."

      I think if you are running Vista, you are _damaged_ enough anyway.
      • by Fred_A ( 10934 )

        I think if you are running Vista, you are _damaged_ enough anyway.
        Your bias is showing. In protected mode, all you have to do is unplug your mouse and you're perfectly safe.
    • Since you're not "downloading" the cursor and executing it, but the cursor itself is a malformed file that manipulates the executable that runs "around" it (i.e. the IE7), there is no sandbox around you. The IE7 gets attacked and its flow of operation redirected (well, not really, actually it's a function of a DLL the IE uses, but that's what basically happens).
      • Since you're not "downloading" the cursor and executing it, but the cursor itself is a malformed file that manipulates the executable that runs "around" it (i.e. the IE7), there is no sandbox around you. The IE7 gets attacked and its flow of operation redirected (well, not really, actually it's a function of a DLL the IE uses, but that's what basically happens).

        The point is that no matter how the exploit runs, it cannot elevate its privileges above the originating EXE/DLL invoking the code.

        In Vista, IE runs
        • by pe1chl ( 90186 )
          You mean that this feature is only available to IE, and you cannot install a user-written appication that has the same privilege system?

          I smell an antitrust lawsuit... such a feature should be determined by ACL on the .exe or systemcall from within the .exe, not by "magic mechanism"...
          • "You mean that this feature is only available to IE, and you cannot install a user-written appication that has the same privilege system?

            I smell an antitrust lawsuit... such a feature should be determined by ACL on the .exe or systemcall from within the .exe, not by "magic mechanism"..."

            Are you sure about that, or just speculating? I'm just curious.... as this seems like it could be useful in other types of apps as well.
          • Nope any application can lower their privledges, they just don't choose to do so...
        • That depends. After all we're talking a stack overflow here, something that by its very nature doesn't care too much for access privileges. All that has to happen here is an injection in a relevant DLL.

          Since DLLs don't run on privilege levels by themselves, being no standalone applications, they depend on the privileges available to the calling functions. Now, LoadAniIcon is (afaik) located in the user32.dll, and this dll is also used by the shell...

          I agree, it ain't easy. But boy, is it rewarding!
          • you wrong! because if the exploit is launched by IE7 then the dll code is executed with the same IE7 privileges which are very very low
            • What bothers me is that the explorer shows the same behaviour. And I'm not sure if the IE itself is doing the call, it might well be that it hands over the task to the explorer, and that could get ugly.
              • And I'm not sure if the IE itself is doing the call, it might well be that it hands over the task to the explorer, and that could get ugly.

                Vista IE can't hand anything over to explorer. It can't even open freaking notepad to view a page's source code without getting permission.
        • In a strange twist, this makes IE on Vista safer than Firefox or any other browser that runs with user level privileges.


          Not really, I run Firefox through Drop My Rights [microsoft.com] which demotes it to limited user rights. It works on both Windows XP and Vista, and it works perfectly normal as a limited user mode (I haven't tried it in constrained or untrusted mode).
    • by pe1chl ( 90186 )
      It should also be noted that only badly managed systems, where the logged-in user has administrator privileges all the time, are really vulnerable.
    • You trust that? Your confidence amuses me.

  • Give us the patch already... I mean hell... they are telling us when it will be released... which means they have written it an tested it to some degree already.

    They are probably using this few days to figure out how they can spin the whole issue to make them look good!

    I don't know why I even care... this bug doesn't effect me in the least.
  • Even more proof (Score:4, Insightful)

    by unborracho ( 108756 ) <ken.sykora@gm[ ].com ['ail' in gap]> on Monday April 02, 2007 @12:16PM (#18575049) Homepage
    That publishing security vulnerabilities on the public internet will get the issue resolved faster than simply privately notifying the company responsible for making the fix.
  • So I wonder if this[0] was just a run-of-the-mill dare where nobody really cares if you do it or not, or a double-dog dare, or the greatly feared TRIPLE-dog dare? Especially since "We made it way harder for guys to do exploits" [1]

    [0] - http://blogs.zdnet.com/Apple/?p=422 [zdnet.com]
    [1] - http://www.toptechnews.com/story.xhtml?story_id=49 854 [toptechnews.com]
  • At last! (Score:5, Funny)

    by Farmer Tim ( 530755 ) on Monday April 02, 2007 @12:27PM (#18575223) Journal
    MS plans emergency update to fix blinking cursor bug.

    Now all they need to do is fix the blinking Active X bugs, the blinking default open ports, the blinking UAC, and all the other blinking problems.

    Pardon my language...
  • I wonder, would Bill Gates and Steve Ballmer taken together be two anii?
  • "The more you try to overtake the plumbing, the easier it is to clog up the drain."

    Microsoft please take note.
  • I haven't seen an ANSI bug since my days as a BBS sysop years ago.
  • by Temujin_12 ( 832986 ) on Monday April 02, 2007 @03:08PM (#18577633)
    Interestingly, clamav's weekly scan of my home Linux server caught Exploit.Win32.MS05-002.Gen [bitdefender.com] in a few mp3 files and a tar.gz file. They weren't important files so I just deleted them. I have several Windows XP Professional machines that access it (the mp3s dir is used as the library root for windows media players).

    BitDefender's description of their detection of this virus:

    This generic detection targets .ANI files that contain malicious code addressing Integer overflow in the LoadImage API Vulnerability [secunia.com]

"I am, therefore I am." -- Akira

Working...