Dave Laird
2007-03-31 20:37:34 UTC
US-CERT Technical Cyber Security Alert TA07-089A -- Microsoft Windows ANI
header stack buffer overflow
From: CERT Advisory <cert-***@cert.org> (CERT(R) Coordination Center -
+1
412-268-7090)
To: cert-***@cert.org Date: Yesterday 11:47:52 am
National Cyber Alert System
Technical Cyber Security Alert TA07-089A
Microsoft Windows ANI header stack buffer overflow
Original release date: March 30, 2007
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows 2000, XP, Server 2003, and Vista are
affected. Applications that provide attack vectors include:
* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express
* Microsoft Windows Mail
* Microsoft Windows Explorer
Overview
An unpatched buffer overflow vulnerability in the way Microsoft
Windows handles animated cursor files is actively being exploited.
I. Description
A stack buffer overflow exists in the code that Microsoft Windows
uses to processes animated cursor files. Specifically, Microsoft
Windows fails to properly validate the size of an animated cursor file
header supplied in animated cursor files.
Animated cursor files can be included with HTML files. For instance,
a web site can use an animated cursor file to specify the icon that the
mouse pointer should use when hovering over a hyperlink. Because of
this, malicious web pages and HTML email messages can be used to
exploit this vulnerability. In addition, animated cursor files are
automatically parsed by Windows Explorer when the containing folder is
opened or the file is used as a cursor. Because of this, opening a
folder that contains a specially crafted animated cursor file will also
trigger this vulnerability.
Note that Windows Explorer will process animated cursor files with
several different file extensions, such as .ani, .cur, or .ico.
Furthermore, Windows will automatically render animated cursor files
referenced by HTML documents regardless of the animated cursor file
extension.
This vulnerability is actively being exploited.
More information is available in Vulnerability Note VU#191609.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code. Exploitation may occur when a user clicks a malicious link,
reads or forwards a specially crafted HTML email, or accesses a folder
containing a malicious animated cursor file.
III. Solution
Until a fix is available, refer to the Solution section of
Vulnerability Note VU#191609 for the latest workarounds.
IV. References
* Vulnerability Note VU#191609 -
<http://www.kb.cert.org/vuls/id/191609>
* Microsoft Security Advisory (935423) -
<http://www.microsoft.com/technet/security/advisory/935423.mspx>
* Unpatched Drive-By Exploit Found On The Web -
<http://www.avertlabs.com/research/blog/?p=230>
* TROJ_ANICHMOO.AX - Description and Solution -
<http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ%5FANICMOO%2EAX>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA07-089A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <***@cert.org> with "TA07-089A Feedback VU#191609" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
March 30, 2007: Initial release
End of signed message
Dave
header stack buffer overflow
From: CERT Advisory <cert-***@cert.org> (CERT(R) Coordination Center -
+1
412-268-7090)
To: cert-***@cert.org Date: Yesterday 11:47:52 am
National Cyber Alert System
Technical Cyber Security Alert TA07-089A
Microsoft Windows ANI header stack buffer overflow
Original release date: March 30, 2007
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows 2000, XP, Server 2003, and Vista are
affected. Applications that provide attack vectors include:
* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express
* Microsoft Windows Mail
* Microsoft Windows Explorer
Overview
An unpatched buffer overflow vulnerability in the way Microsoft
Windows handles animated cursor files is actively being exploited.
I. Description
A stack buffer overflow exists in the code that Microsoft Windows
uses to processes animated cursor files. Specifically, Microsoft
Windows fails to properly validate the size of an animated cursor file
header supplied in animated cursor files.
Animated cursor files can be included with HTML files. For instance,
a web site can use an animated cursor file to specify the icon that the
mouse pointer should use when hovering over a hyperlink. Because of
this, malicious web pages and HTML email messages can be used to
exploit this vulnerability. In addition, animated cursor files are
automatically parsed by Windows Explorer when the containing folder is
opened or the file is used as a cursor. Because of this, opening a
folder that contains a specially crafted animated cursor file will also
trigger this vulnerability.
Note that Windows Explorer will process animated cursor files with
several different file extensions, such as .ani, .cur, or .ico.
Furthermore, Windows will automatically render animated cursor files
referenced by HTML documents regardless of the animated cursor file
extension.
This vulnerability is actively being exploited.
More information is available in Vulnerability Note VU#191609.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code. Exploitation may occur when a user clicks a malicious link,
reads or forwards a specially crafted HTML email, or accesses a folder
containing a malicious animated cursor file.
III. Solution
Until a fix is available, refer to the Solution section of
Vulnerability Note VU#191609 for the latest workarounds.
IV. References
* Vulnerability Note VU#191609 -
<http://www.kb.cert.org/vuls/id/191609>
* Microsoft Security Advisory (935423) -
<http://www.microsoft.com/technet/security/advisory/935423.mspx>
* Unpatched Drive-By Exploit Found On The Web -
<http://www.avertlabs.com/research/blog/?p=230>
* TROJ_ANICHMOO.AX - Description and Solution -
<http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ%5FANICMOO%2EAX>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA07-089A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <***@cert.org> with "TA07-089A Feedback VU#191609" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2007 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
March 30, 2007: Initial release
End of signed message
Dave
--
Dave Laird (***@kharma.net)
The Used Kharma Lot/The Phoenix Project
An automatic & random thought For the Minute from the Unix Fortunes:
I've always considered statesmen to be more expendable than soldiers.
Dave Laird (***@kharma.net)
The Used Kharma Lot/The Phoenix Project
An automatic & random thought For the Minute from the Unix Fortunes:
I've always considered statesmen to be more expendable than soldiers.