MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."
Huh? This boggles the imagination. I would have thought they'd have learned about security rings while rebuilding their entire OS from the ground up (as Longhorn was reputed to do).
Who cares if it runs as root or not? It really doesn't make too much of a difference except on a multi-user system. I don't care about my OS installation--that is easy to do again. What I do care about is my data. Deleting or corrupting files in my user profile directory (C:\Documents and Settings\user\* or/home/user/* -- take your pick) is digital death for me (assuming a backup will not restore properly or new data hasn't been backed up yet).
It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".
Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.
Well, as another poster already said, it would be best if untrusted applications (like web browsers) were run as a different user from your main account. The only way it could access your data would be to require a password for privilege escalation. Unfortunately I don't know of any OS that does this. SELinux is neat, but I'm not sure it can do this without being overly restrictive.
Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.
Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features.
Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?
MS took an enormous step in security with their release of IE 7
If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.
This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.
It already haven't been. The guys who found the exploit say [determina.com] that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.
In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.
It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.
Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?
Until a patch is released, turn off active cursors.
HOW? Because, you know, your very own [microsoft.com] security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!
Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.
Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.
Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without rep
you this that's bad, there was another security flaw in the mouse code announced over 15 months ago( Jan 05 ). They patched that but never examined the code for other exploits. I mean really, if you've got SOOO much freaking legacy code, you'd atleast want to be refactoring what you have to touch because of bugs or, for example, security holes.
But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.
Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.
What part of "Successful exploitation allows execution of arbitrary code." do you not understand? This is a hole that lets crackers do a lot more than crash your computer.
Microsoft's advisory says that IE7 runs in protected mode in Vista, thus it is "protected from currently known web based attacks" and the exploit can only crash the browser not execute arbitrary code. It's in the "Mitigating Factors for Animated Cursor Vulnerability" section.
"In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user consent." -- From the Windows Vista: Features Explained site.
Unless of course the user has been driven insane by all the "Cancel or Allow?" questions and would readily click "Allow" even in a dialog box asking, "Your computer would like to strangle you with its power cord. Cancel or Allow?"
Sure, but this is still a zero-day exploit for everybody who hasn't upgraded to Vista, and everybody who hasn't turned on IE7 Protected Mode. (The MS website seems to imply that IE7 Protected Mode is not the default). That leaves at least 95% of the installed base of desktops vulnerable.
FYI... protected mode is the default. You have to try pretty hard to disable it... Of course Adobe in their infinite wisdom requires you to turn off protected mode to be able to write PDF (using acrobat) from IE. More adobe's fault than anything else.
It could also turn your IE into a spambot. Now, sure, it will only last for as long as that copy of IE is running, but some creative modification of IE cache (to which it also obviously has access) to insert the required code into a few most visited.html files - say, the user's home page - should make sure that every time IE is started, the exploit gets applied again.
The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.
With exploits as old as this one, it makes me wonder just how many high level hackers/crackers have used this in silence over the years. It could pay very well to keep ploits such as this one silent for as long as possible.
This is a perfect example of how using Microsoft's official list of exploits is a mostly meaningless metric to determine how secure the OS really is. It gives no indication of security holes being secretly exploited for years.
Also this is not the first flaw affecting animated cursors. I remember having read about that a few years ago. Googling "animated cursor flaw" gets me to 2004-12-29 [windowsitpro.com]. So, their problems with animated cursors are really old, back to the NT 4 era.
Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.
Moral of the story: don't use the IE rendering engine for cursors by avoiding using the IE web browser and by not using untrusted animated cursors in Windows.
Well, one can understand programmers making stupid mistakes, and creating vulnerabilities. And everytime you add features, whether it is important or just bells and whistles, you always run the risk of opening up another vulnerabilities. Granting all that, why is it that, in 2007, after Vista, with "Security is Job 1 in MSFT", why does a vulnerability in a browser goes all the way up to executing arbitrary code? Browsers are expected to get data from untrustable sites, they should have heavy armour protection. Why the users are putting up with this nonsense?
Some stupid consumer protection council reports that some part of some toy can come apart and present a choking hazard to children. "As many as 3 children could have died over the last 10 years because of this!" Suddenly all news organizations act as though the sky has fallen, and on slow news day, it is even the lead story! Here we have a hazard that could get your machine rooted and pwned and steal your password and sell it in the organized crime networks,... and the world reacts with a collective shrug.
Sorry, for the rant, I know I am preaching to the choir, just need to get it off my chest.
No doubt you aren't a programmer, and wouldn't really grasp how complex a piece of software like a web browser really is,
Even if you're a programmer, you're still out of your league on this one. Only a plumber could understand the series of tubes that make up the Internet.
I'll own up and admit to having used exclusively animated cursors in the past... but then again, I was a mouthbreathing teenager in the mid 1990s with my first Pentium. I also had Star Trek WAVs hooked to all my Windows events, ran After Dark's screensaver app at all times, used any excuse to look things up Compton's Interactive Encyclopedia CD-ROM, and obsessively hoarded Voyager publicity photos from Compuserve. A few blinky wiggly pointers shaped like phasers and lightsabers were the least of my crimes
Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. - <sarcasm>well, we all know not to open specially crafted e-mail messages and attachments.</sarcasm>
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. - I can give an advice even without an expensive investigation. Do not use MS IE, do not use MS Outlook, do not allow animated anything on your desktop and probably the best thing to do is to finally just plain not to use MS, but in many cases it is not an option.
Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed. Turn off all animations, turn off 'show content while dragging window' option, switch to 'classic' look for the look of the Explorer, make sure that there are no thumbnails, switch to 'details' in the Explorer, make sure to show extensions on all files, make sure to apply to all folders and turn of 'Remember each folder settings' option.
I am not certain that this will prevent this particular problem, but not using IE and Outlook most likely would (while using other email clients do not allow active content to execute and do not trust attachments ever.) It's a real pain, it would be much better to run MS Windows in a virtual machine on GNU/Linux (VMWare I suppose.)
...Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed...
That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X. You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.
Our security expert, Jackson M., just tolds us: " So, ANI are you ok ? Are you ok ANI ?
You've been hit by... you've been hit by... a smooth criminal ! "
by Anonymous Coward
on Friday March 30 2007, @09:01AM (#18542665)
A workaround for this is to install some quality cursors. I use the comet cursor package that installed itself automatically when I browsed the web. It has some great cursors and loads of other features that make using Windows far more entertaining.
I have not been able to remove or alter the comet cursor package since it installed itself, so I think it will protect very well against other cursors getting installed on my computer.
If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:
For those people saying "turn off animated cursors" and such, I don't think that's a solution. IE allows a webpage (or email if you're using the IE rendering engine in Outlook) to replace your cursor using some IE-specific CSS code. It's as easy as changing the background for a webpage. Examples:
body {cursor: url('cursor.ani');} <BODY style="CURSOR: url('cursor.ani')"> <BODY style="CURSOR: url('http://www.example.com/cursor.ani')">
You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified.ANI file which exploits the hole in IE.
I am almost positive there is no way to disable this in IE.
SANS [sans.org] says they've received reports of the "vulnerability being exploited in the wild using files renamed to jpeg". So, yeah, I think you're right (proxy won't help, unless you're going to block jpegs too).
Y'know, if you'd told me that M$ rolled out their new WindowsFS and it had a vulnerability or two, I'd be amused. Not surprised, not shocked, amused. New and exciting technologies rarely work correctly the first time they're tried.
If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.
If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.
The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?
I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .
The Microsoft Advisory - whom we all trust - shows that the fuzz here in/. is unnecessary. RTMF (Read The Mitigating Factors) !: In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
See, much ado about nothing !:
- the attacker would have to host a web site [surely, they couldn't, could they !]
- the attacker could compromise a web site [probably they would not know how to, would they !]
- the attacker has no way to force the user to visit a specific website [see !] Especially the latter gave me complete relief and peace of mind ! I can't be forced, that means I am as good as safe ! Yahoo !
- the attacker would need to persuade us [just told my wife not to answer the phone or door bell]
Not running my web browser as administrator [I don't] seriously limits the potential damage, thanks to Vista's unique feature of unprivileged user accounts.
Thanks, Microsoft, for an informative advisory; and a comprehensive and clear list of mitigating factors ! Thanks, Microsoft, for debunking so-called "extremely critical" vulnerabilities as myth, again !
Sure am glad I just upgraded to Vista and Office 2007:
Mitigating Factors for Animated Cursor Vulnerability
Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.
By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.
I think the important thing here to note is that MS is actually delivering on it's promise to deliver a more secure OS and set of applications for users.
by Anonymous Coward
on Friday March 30 2007, @09:46AM (#18543281)
It was. The vulnerability still affects Vista, but due to the different security subsystem the exploit can't really do anything. It sits stuck in a "protected mode" IE7 instance which can't do anything, not even fuck with the current user's profile. The exploit is effectively contained at that point.
Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.
You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.
The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.
IE is safe in Vista because it runs in a super locked-down "protected mode". Windows Mail (aka Outlook Express) doesn't, so it makes sense that IE7 in Vista is immune to this but Mail isn't.
I guess you are not a student of Computer Science. Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.
The concept is simple actual practice is hard.
A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.
Guess you are STILL a Computer Scientist student. If you are doing something that has no impact on security (this is image processing dammit) the value of your software is in what it does, not in how it resists to every possible abuse.
I was going to try to be calm and rational about this, but screw it.
It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).
You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.
You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).
Why would my cursor run as root? (Score:5, Insightful)
Re:Why would my cursor run as root? (Score:4, Informative)
It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".
Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.
Parent
Re:Why would my cursor run as root? (Score:5, Informative)
Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.
Parent
Re:Why would my cursor run as root? (Score:4, Insightful)
Let's see.
Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?
If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.
It already haven't been. The guys who found the exploit say [determina.com] that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.
It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.
Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?
HOW? Because, you know, your very own [microsoft.com] security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!
Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.
Parent
Re:Why would my cursor run as root? (Score:5, Insightful)
http://www.checkpoint.com/defense/advisories/publ
But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.
Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.
LoB
Parent
Re:Why would my cursor run as root? (Score:5, Insightful)
Parent
Re:Why would my cursor run as root? (Score:5, Funny)
Successful.
Parent
Re:Why would my cursor run as root? (Score:5, Funny)
"In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user consent." -- From the Windows Vista: Features Explained site.
Unless of course the user has been driven insane by all the "Cancel or Allow?" questions and would readily click "Allow" even in a dialog box asking, "Your computer would like to strangle you with its power cord. Cancel or Allow?"
Parent
Re:Why would my cursor run as root? (Score:5, Insightful)
Parent
Re:Why would my cursor run as root? (Score:4, Interesting)
Parent
Re:IE protected mode (Score:4, Interesting)
Parent
Surprise, Windows Listed as Most Secure OS (Score:5, Funny)
Re: Surprise, Windows Listed as Most Secure OS (Score:5, Funny)
Parent
Pfff. Locked in a vault? (Score:5, Funny)
Parent
Good heavens... (Score:4, Funny)
Parent
This old? (Score:5, Insightful)
Re:This old? (Score:5, Insightful)
Parent
Re:This old? (Score:5, Insightful)
Parent
Re:This old? (Score:4, Informative)
Parent
Re: (Score:3, Insightful)
Re:This old? (Score:4, Informative)
So, their problems with animated cursors are really old, back to the NT 4 era.
Parent
Oblig. (Score:3, Funny)
The Solution is Amazing (Score:5, Funny)
Nice, so basically I'm not supposed to read any emails from people I don't know. Sounds like a viable solution.
Re:The Solution is Amazing (Score:5, Funny)
Parent
Only affects rendering using the IE engine... (Score:5, Interesting)
Why does it get to be this bad? (Score:4, Insightful)
Some stupid consumer protection council reports that some part of some toy can come apart and present a choking hazard to children. "As many as 3 children could have died over the last 10 years because of this!" Suddenly all news organizations act as though the sky has fallen, and on slow news day, it is even the lead story! Here we have a hazard that could get your machine rooted and pwned and steal your password and sell it in the organized crime networks, ... and the world reacts with a collective shrug.
Sorry, for the rant, I know I am preaching to the choir, just need to get it off my chest.
Re:Why does it get to be this bad? (Score:5, Funny)
Even if you're a programmer, you're still out of your league on this one. Only a plumber could understand the series of tubes that make up the Internet.
Parent
What kind of mouthbreather would even... (Score:5, Funny)
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
My cursor is a big punching glove. It makes hitting that damn monkey that much easier...
What's to investigate? (Score:3, Informative)
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. - I can give an advice even without an expensive investigation. Do not use MS IE, do not use MS Outlook, do not allow animated anything on your desktop and probably the best thing to do is to finally just plain not to use MS, but in many cases it is not an option.
Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed. Turn off all animations, turn off 'show content while dragging window' option, switch to 'classic' look for the look of the Explorer, make sure that there are no thumbnails, switch to 'details' in the Explorer, make sure to show extensions on all files, make sure to apply to all folders and turn of 'Remember each folder settings' option.
I am not certain that this will prevent this particular problem, but not using IE and Outlook most likely would (while using other email clients do not allow active content to execute and do not trust attachments ever.) It's a real pain, it would be much better to run MS Windows in a virtual machine on GNU/Linux (VMWare I suppose.)
Re:What's to investigate? (Score:5, Insightful)
That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X.
You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.
Parent
Criminals using this vulnerability ? (Score:5, Funny)
" So, ANI are you ok ? Are you ok ANI ?
You've been hit by... you've been hit by... a smooth criminal ! "
A workaround for this... (Score:5, Funny)
I use the comet cursor package that installed itself automatically when I browsed the web.
It has some great cursors and loads of other features that make using Windows far more entertaining.
I have not been able to remove or alter the comet cursor package since it installed itself, so I think it will protect very well against other cursors getting installed on my computer.
I can hear Ballmer screaming... (Score:5, Funny)
Solution: "You are trying to move the mouse..." (Score:5, Funny)
Caution (Score:5, Informative)
http://www.secureworks.com/research/threats/gozi/ [secureworks.com]
This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.
IE loads animated cursors via CSS (Score:5, Informative)
body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">
You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified
I am almost positive there is no way to disable this in IE.
Re:IE loads animated cursors via CSS (Score:5, Informative)
Parent
Un-fragging-believable! (Score:5, Insightful)
If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.
If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.
The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?
I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .
Don't worry ! (Score:4, Insightful)
RTMF (Read The Mitigating Factors) !:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
See, much ado about nothing !:
- the attacker would have to host a web site [surely, they couldn't, could they !]
- the attacker could compromise a web site [probably they would not know how to, would they !]
- the attacker has no way to force the user to visit a specific website [see !]
Especially the latter gave me complete relief and peace of mind ! I can't be forced, that means I am as good as safe ! Yahoo !
- the attacker would need to persuade us [just told my wife not to answer the phone or door bell]
Not running my web browser as administrator [I don't] seriously limits the potential damage, thanks to Vista's unique feature of unprivileged user accounts.
Thanks, Microsoft, for an informative advisory; and a comprehensive and clear list of mitigating factors !
Thanks, Microsoft, for debunking so-called "extremely critical" vulnerabilities as myth, again !
Boy... (Score:4, Funny)
Mitigating Factors for Animated Cursor Vulnerability
Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.
By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.
I think the important thing here to note is that MS is actually delivering on it's promise to deliver a more secure OS and set of applications for users.
Re:First Pwndst (Score:4, Insightful)
Parent
Re:First Pwndst (Score:5, Interesting)
Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.
You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.
Parent
Re:First Pwndst (Score:4, Interesting)
The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.
Parent
Re:First Pwndst (Score:5, Interesting)
Parent
Re:goddam hackers (Score:5, Informative)
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.
The concept is simple actual practice is hard.
A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.
Parent
Re:goddam hackers (Score:5, Insightful)
I was going to try to be calm and rational about this, but screw it.
It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).
You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.
Seriously. Quit before you break something.
Parent
Re:goddam hackers (Score:4, Funny)
Parent
Re:Vista Security. (Score:5, Funny)
Nope. I watched their lips and every time they said, "Vista will be the most secure Microsoft operating system ever."
I think this was carefully worded by them so they could say it with an honest face.
Parent