Windows Vulnerability in Animated Cursor Handling

MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."

What's to investigate?

[roman_mir]

Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. - <sarcasm>well, we all know not to open specially crafted e-mail messages and attachments.</sarcasm>

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. - I can give an advice even without an expensive investigation. Do not use MS IE, do not use MS Outlook, do not allow animated anything on your desktop and probably the best thing to do is to finally just plain not to use MS, but in many cases it is not an option.

Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed. Turn off all animations, turn off 'show content while dragging window' option, switch to 'classic' look for the look of the Explorer, make sure that there are no thumbnails, switch to 'details' in the Explorer, make sure to show extensions on all files, make sure to apply to all folders and turn of 'Remember each folder settings' option.

I am not certain that this will prevent this particular problem, but not using IE and Outlook most likely would (while using other email clients do not allow active content to execute and do not trust attachments ever.) It's a real pain, it would be much better to run MS Windows in a virtual machine on GNU/Linux (VMWare I suppose.)

Re:First Pwndst

[Anonymous Coward]

'With', not 'and'. In other words, IE7 on XP could still be vulnerable, or Vista could by opening the cursor file through some non-IE7 means.

Re:First Pwndst

[Anonymous Coward]

Vista w/ Windows Mail seems to be vulnerable.

Re:Only affects rendering using the IE engine...

[bubbl07]

My apologies, article here [avertlabs.com].

Re:goddam hackers

[jellomizer]

I guess you are not a student of Computer Science.
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.

The concept is simple actual practice is hard.

A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.

Re:The Solution is Amazing

[penp]

If you read the link [microsoft.com] to Microsoft's advisory about the exploit, it sounds like you're not even supposed to trust email from people you do know.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.

On top of that, if you read further it starts to sound like a scheme they're using to try to sell more copies of Windows Vista.

Mitigating Factors for Animated Cursor Vulnerability

Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.

By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.

Who needs animated cursors, anyway?

Re:This old?

[alexhs]

Also this is not the first flaw affecting animated cursors. I remember having read about that a few years ago. Googling "animated cursor flaw" gets me to 2004-12-29 [windowsitpro.com].
So, their problems with animated cursors are really old, back to the NT 4 era.

Caution

[Alioth]

If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:

http://www.secureworks.com/research/threats/gozi/ [secureworks.com] ...which has a similar infection vector (by merely visiting a web page you get infected), and went undetected for 54 days.

This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.

Re:What's to investigate?

[illegalcortex]

do not allow animated anything on your desktop

I'm not sure that's really the solution. Wouldn't either of those articles have listed it as a workaround if so? I think this is the actual problem:

With Microsoft Internet Explorer 6 or 7 you can use your own animated or static cursor on your webpage instead of the standard system cursor. All you have to do is add a little code to your HTML-documents or the CSS-stylesheet and upload the cursor file (*.ani or *.cur) to the webserver.

http://www.anicursor.com/webcursor.htm l

I don't know that there is any way to turn that off in IE or Outlook using IE's rendering.

Re:Why would my cursor run as root?

[FreshMeat-BWG]

Who cares if it runs as root or not? It really doesn't make too much of a difference except on a multi-user system. I don't care about my OS installation--that is easy to do again. What I do care about is my data. Deleting or corrupting files in my user profile directory (C:\Documents and Settings\user\* or /home/user/* -- take your pick) is digital death for me (assuming a backup will not restore properly or new data hasn't been backed up yet).

It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".

Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.

Re:What kind of mouthbreather would even...

[illegalcortex]

What kind of mouthbreather would even install an animated cursor in the first place?

I'm not sure that's really the problem. Wouldn't either of those articles have listed it as a workaround if so? I think this is the actual problem:

With Microsoft Internet Explorer 6 or 7 you can use your own animated or static cursor on your webpage instead of the standard system cursor. All you have to do is add a little code to your HTML-documents or the CSS-stylesheet and upload the cursor file (*.ani or *.cur) to the webserver.

http://www.anicursor.com/webcursor.html [anicursor.com]

I don't know that there is any way to turn that off in IE or Outlook using IE's rendering.

IE loads animated cursors via CSS

[illegalcortex]

For those people saying "turn off animated cursors" and such, I don't think that's a solution. IE allows a webpage (or email if you're using the IE rendering engine in Outlook) to replace your cursor using some IE-specific CSS code. It's as easy as changing the background for a webpage. Examples:

body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">

You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified .ANI file which exploits the hole in IE.

I am almost positive there is no way to disable this in IE.

IE protected mode

[Anonymous Coward]

That's not quite true. The vulnerability does allow execution of arbitrary code, however protected mode IE limits the scope of what the running code can do. With protected mode IE, IE (and any processes spawned by IE) cannot write data to arbitrary locations, cannot send window messages to arbitrary windows on the user's desktop and cannot take advantage of most of the abilities that most users have. This applies even if the user is an administrator.

Protected mode IE *does* have the ability to read anything that the user would regularly have access to, and through a helper application (ieuser.exe) is able to ask the user to download files or change IE settings. And anything else the user does in that particular IE process can be read or altered.

So with protected mode IE the vulnerability does allow the execution of arbitrary code and it can steal your data files, but it can't write to your regular files or system files.

Re:IE loads animated cursors via CSS

[illegalcortex]

You could probably block the easier ones, yes. But first off, I'm not sure the file has to be named with a .ANI extension. Second, it's probably you could do the CSS via javascript rather than have it hardcoded like in my examples. Doing these two things would make scrubbing via a proxy much more difficult.

Re:Why would my cursor run as root?

[Afecks]

The MS website seems to imply that IE7 Protected Mode is not the default

It is on by default for all but the trusted zone.

That leaves at least 95% of the installed base of desktops vulnerable.

Or you know.. not..

There seems to be about 15% of us that are just so crazy we switched our browsers to Firefox or Opera... I would recommend it.

Re:This old?

[fuzz6y]

Because one of the "good guys" finally found it and reported it. The "bad guys" weren't ever going to squeal.

Re:IE loads animated cursors via CSS

[lostboy2]

SANS [sans.org] says they've received reports of the "vulnerability being exploited in the wild using files renamed to jpeg". So, yeah, I think you're right (proxy won't help, unless you're going to block jpegs too).

Re:Why would my cursor run as root?

[Rutulian]

Well, as another poster already said, it would be best if untrusted applications (like web browsers) were run as a different user from your main account. The only way it could access your data would be to require a password for privilege escalation. Unfortunately I don't know of any OS that does this. SELinux is neat, but I'm not sure it can do this without being overly restrictive.

Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.