Linked by Thom Holwerda on Mon 2nd Apr 2007 21:05 UTC, submitted by Dale Smoker
Windows Microsoft has decided to rush out a fix for a flaw in Windows, saying that the problem has become too serious to ignore. The flaw, which will be patched on Tuesday, was originally disclosed to Microsoft in December, but it was not publicly reported until last week. The bug lies in the way Windows processes .ani Animated Cursor files, which are used to create cartoon-like cursors in Windows.
Thread beginning with comment 227115
To view parent comment, click here.
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

{Malware don't care about your box, it cares about being able to comminucate with other malware and last time i checked (like 5 second ago) regular users can make outgoing connections and listen on local ports (above 1024). That's all a botnet need, for example. }

No, for several reasons.

Firstly, the "paradigm " on Windows systems is all wrong, from a security perspective. Users are routinely expected to install stuff. They often run as root. The typical means to install stuff is by running an uncredentialled executable, as root. There is no central, vetted repository of stuff to install, and users are expected to search for it themselves. Users have absolutely zero means of vetting or auditing the quality of stuff they install. Malware (for Windows systems) can hide in millions of places by virtue of the myriad closed-source applications. Finally, the vendor of the OS does not have user's interests in mind, but rather the vendor's own interest drives the functionality of the system.

The other paradigm on Windows systems is that "data files include executable instructions". As already mentioned, installation packages are typically executables, rather than passive data files. Picture files have executable hooks ... witness the .wmf security hole of recent times. Even mouse cursor definition files have executable hooks ... witness the .ani security hole of very recent times. CDROMS include "autoexecute" files. Office files include executable macros ... and so on, and so on. This type of "security hole just waiting to be exploited via embedding instructions in data" is absolutely riddled throughout the Windows world.

Finally, no-one can "hide" malware in open source programs. Open source programs are vettable and auditable, and are necessarily written in the user's best interest (otherwise other code would "win" in the meritocracy ... this is the major win of the open source paradigm versus the closed source model). So, if you simply adopt a straightforward policy on a Linux system which goes "only install stuff from repositories using your package manager" ... then you are guaranteed to never get malware.

There are no botnets for Linux.

Edited 2007-04-03 23:57

Reply Parent Score: 1

Soulbender Member since:
2005-08-18

"No, for several reasons."
Yes, botnets etc does not need root access.

"Firstly, the "paradigm " on Windows systems is all wrong, from a security perspective. "

Well, sure, but malware does not need to rely on that.

"The other paradigm on Windows systems is that "data files include executable instructions"."

Uh, no they don't But certain apps has had bugs that allowed code execution when data files are loaded. A buffer overflow is not the same as data files including executable content though. Buffer overflow problems aren't unique to Windows and there have been several bugs like this in Unix apps.

"Finally, no-one can "hide" malware in open source programs."

That's not the point. Malware can spread by exploiting application vulnerabilities.

"There are no botnets for Linux."

Really, are you sure about that?
http://blogs.securiteam.com/index.php/archives/304

In case you don't know who gaid (Gadi Evron) is, he's one of the worlds premier botnet and malware researchers.

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

{Uh, no they don't But certain apps has had bugs that allowed code execution when data files are loaded. A buffer overflow is not the same as data files including executable content though. Buffer overflow problems aren't unique to Windows and there have been several bugs like this in Unix apps. }

Semantics, IMO. You can get the system to run what you want to just by embedding data into a data file.

The .wmf exploit came about because of a provision for "end print" (or somesuch) allowed one to embed a call to the OS with paramaters extracted from the .wmf data file. This is in effect embedding executable code in the data file itself.

This new .ani exploit is similar, aparently. Instructions for the way that the mouse cursor is to animate are embedded in the .ani files.

http://www.eweek.com/article2/0,1895,2110151,00.asp

http://www.desktoplinux.com/news/NS3993153601.html
""ANI" stands for Animated Cursor Image format. When any version of Windows from NT to Vista opens up a corrupt ANI file with USER32.DLL, the program that loads ANIs, you've just turned your computer over to the malware's author. You can be smacked by it by opening a Web page or HTML email message that's been loaded with an ANI attack.

How bad is it? According to Determina Security Research, the company that discovered it in back December of 2005, the .ANI vulnerability lets attacks run code remotely just as if they were the logged in user. All this from a trivial toy of a program that makes your cursor do pretty things!

...

Think you can stop it by blocking .ani files? Nope, SANS reports that crackers are renaming the .ani files as .jpegs and your Windows system will still get smacked."


Edited 2007-04-04 07:01

Reply Parent Score: 1