Slashdot Log In
Windows .ANI Problem Surfaced Two Years Ago
Posted by
Zonk
on Fri Apr 06, 2007 04:22 PM
from the about-twenty-times-longer-than-firefly's-run dept.
from the about-twenty-times-longer-than-firefly's-run dept.
An anonymous reader writes "There's a new twist to the tale of Windows .ANI exploit, that's been in the news all week (including when a spam campaign used the teaser of nude Britney Spears pictures to lure people to malicious sites). InformationWeek reports the Windows .ANI bug at issue first surfaced — and was patched — two years ago, in early 2005. 'If they had simply looked for other references for the same piece of code when they originally dealt with it a few years ago, they would have found this and patched it in 2005,' says Craig Schmugar of McAfee. 'It would have saved a whole lot of people a lot of time, money and effort.' Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking."
Related Stories
[+]
Windows Vulnerability in Animated Cursor Handling 338 comments
MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."
[+]
WoW Players Targeted By Windows Flaw Exploit 130 comments
grimwell writes "The BBC is carrying the story that the ANI flaw is being used to target World of Warcraft players, as hackers search for account details. 'Analysis of that malicious software showed that it lay dormant on a victims machine until they ran World of Warcraft (WoW) at which point it captured login data and sent it to the hacking group ... Research by security firm Symantec suggests that the raw value of a WoW account is now higher than a credit card and its associated verification data.'" Doubtless, any compromised accounts would quickly see their equipment sold, and the resulting gold transferred to another account. This gold would then be sold for US currency to Real Money Traders like the company IGE.
[+]
MS Mulling Changes to Thwart .ANI-type Attacks 99 comments
Scada Moosh writes "ZDNet has a story about the lessons Microsoft learned from the recent animated cursor (.ani) attacks and some of the broad changes being made to flag this type of vulnerability ahead of time. The changes include a possible addition to the list of banned API function calls, more aggressive checks for buffer overruns and enhancements to existing fuzz testing tools. '[Michael] Howard said Microsoft will "rethink the heuristics" used by the /GS compiler to flag certain issues. "Changing the compiler is a long-term task. In the short-term, we have a new compiler pragma that forces the compiler to be much more aggressive, and we will start using this pragma on new code," he added. Two other Windows Vista security mechanisms -- ASLR and SafeSEH -- were also in place to catch code failures but, in the case of the .ani bug, Howard said the attackers were able to wrap vulnerable code in an exception handler to find ways around those mitigations.'"
This discussion has been archived.
No new comments can be posted.
Windows .ANI Problem Surfaced Two Years Ago
|
Log In/Create an Account
| Top
| 110 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
How is that a lure? (Score:5, Funny)
Talk about an anti-virus.
If all attempts to hijack my machine involved using her as a lure, I'd uninstall AVP in a heartbeat; you couldn't pay me to see her nude.
Re:How is that a lure? (Score:5, Funny)
(http://www.cafepress.com/lehk | Last Journal: Wednesday July 25, @12:50AM)
Strange... (Score:4, Funny)
(http://www.creimer.ws/ | Last Journal: Friday January 26 2007, @12:40PM)
a-HA! (Score:2)
So now we can say that Windows actually had twice as many ANI bugs as we originally thought and Microsoft admitted so themselves.
Wouldn't that be (Score:5, Funny)
Re:Wouldn't that be (Score:5, Funny)
Nothing to see here.. (Score:2)
(http://www.securityzone.org/)
This ANI exploit is different! (Score:5, Funny)
(http://nextgen.no-ip.org/)
Of course this
Incompetent Liars (Score:5, Insightful)
If you read the slashdot summary (or even the whole first page of the article), you get the impression that some people think the bug is pretty much the same thing as the 2005 one and that Microsoft disagrees. The story is structured like a "He said, she said," kind of thing and no one is painted as right or wrong. If you *do* manage to make it to the second page of the article however, you find out that several very respected security professionals and security companies present detailed compelling evidence to the effect that Microsoft is both incompetent and disingenuous in their opinion on this bug.
It is the same bug (essentially) reported in 2005, and it should have been caught in a matter of hours or even minutes after the 2005 bug was initially reported to them. This by reason of Microsoft's own self-stated bug hunting and code modification procedures.
The conclusion is absolutely inescapable that Microsoft completely failed to follow their own basic rules of coding and security auditing here. They also are lying or at the very least splitting hairs about it being a "separate issue," and they seem to be deliberately trying to pull the wool over peoples eyes about it. Yet this story has been reported around the web as a kind of "maybe McAfee is right, or maybe Microsoft is right," thing for the most part??? Why?
On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is. It seems like this bug occurred because the same old *.ani code from the previous versions of MS Windows was included in Vista with literally no oversight and no checking.
Why do people buy products from these people again?
And why do they always seem get the benefit of the doubt in the media?
Re:Incompetent Liars (Score:5, Insightful)
(http://www.bodrius.com/)
I'll just assume your case is the latter
Sure, copy-and-paste duplication should be avoided where possible, along with gotos, reinventing the wheel, long complicated functions, lack of type safety, etc.
Also, all code should really be a perfect and pristine example of elegance and modularity. Bug-free is even better!
Reality bites, though.
Unless we're talking of brand-new projects of a small size, I find it really hard to believe that comminiting to 0% copy-and-paste-code is a practical proposition.
For a non-trivial product with some legacy, copy-and-paste is often the best among various non-optimal choices.
- Do you really want to tightly couple these two unrelated components because you want to use those 5 lines of code?
- Can you afford to carry over all of the dependencies on that library or class?
- Or can you afford the refactoring to avoid those dependencies? How many new components (which were not changing before) do you need to retest now that you pulled the code out?
- Can you afford to lose that development and testing time on other features that you need for RTM?
That's not to mention the almost-guaranteed design time discussing where that re-usable code should move to in the first place... and do we need to change it to make it more generic? Do we need to ship all the refactored components with no functionality change? etc. etc.
I agree with the sentiment: Copy-and-paste duplication sucks, and should be avoided wherever possible.
But honestly, if you can ALWAYS say that avoiding copy-and-paste at all costs is the right decision for your product, for your team, and for yourself... I don't know whether to envy you, or to fear you.
nothing to see here... ssdd... remember winnuke? (Score:1)
Out of interest.... (Score:5, Funny)
Re:Out of interest.... (Score:5, Funny)
(http://www.scenepointblank.com/)
Re:Out of interest.... (Score:5, Funny)
(http://www.uio.no/~jaris)
Fitting (Score:2)
(http://slashdot.org/)
Meh (Score:1)
(Last Journal: Thursday November 08, @06:56PM)
I can see two seperate bugs causing the same result, I've dealt with it tons of times.
"the bug is back, you didn't fix it"
and I say, "no this one is different"
Meh
Who really fucking cares?
useless (Score:3, Insightful)
(http://www.seektherush.com/)
It would be nice to have real information on this (Score:2)
ASUS website hacked (Score:1)
http://www.infoworld.com/article/07/04/06/HNasust
Although I never visited the site because it was slow to begin with and had the worst download rates.
Netcraft says for the asus.com website that it was running Windows Server 2003 but other foregin ASUS sites were running a mix of Linux/BSD.
Cut it out (Score:5, Funny)
(http://symbolset.blogspot.com/ | Last Journal: Saturday May 26, @11:53PM)
Steve, leave the slashdot editors alone. If you need to blow off steam, go throw a chair or something.