Linked by Thom Holwerda on Mon 2nd Apr 2007 21:05 UTC, submitted by Dale Smoker
Windows Microsoft has decided to rush out a fix for a flaw in Windows, saying that the problem has become too serious to ignore. The flaw, which will be patched on Tuesday, was originally disclosed to Microsoft in December, but it was not publicly reported until last week. The bug lies in the way Windows processes .ani Animated Cursor files, which are used to create cartoon-like cursors in Windows.
Permalink for comment 227204
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

{Uh, no they don't But certain apps has had bugs that allowed code execution when data files are loaded. A buffer overflow is not the same as data files including executable content though. Buffer overflow problems aren't unique to Windows and there have been several bugs like this in Unix apps. }

Semantics, IMO. You can get the system to run what you want to just by embedding data into a data file.

The .wmf exploit came about because of a provision for "end print" (or somesuch) allowed one to embed a call to the OS with paramaters extracted from the .wmf data file. This is in effect embedding executable code in the data file itself.

This new .ani exploit is similar, aparently. Instructions for the way that the mouse cursor is to animate are embedded in the .ani files.

http://www.eweek.com/article2/0,1895,2110151,00.asp

http://www.desktoplinux.com/news/NS3993153601.html
""ANI" stands for Animated Cursor Image format. When any version of Windows from NT to Vista opens up a corrupt ANI file with USER32.DLL, the program that loads ANIs, you've just turned your computer over to the malware's author. You can be smacked by it by opening a Web page or HTML email message that's been loaded with an ANI attack.

How bad is it? According to Determina Security Research, the company that discovered it in back December of 2005, the .ANI vulnerability lets attacks run code remotely just as if they were the logged in user. All this from a trivial toy of a program that makes your cursor do pretty things!

...

Think you can stop it by blocking .ani files? Nope, SANS reports that crackers are renaming the .ani files as .jpegs and your Windows system will still get smacked."


Edited 2007-04-04 07:01

Reply Parent Score: 1