Windows Vulnerability in Animated Cursor Handling 338
MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."
What's to investigate? (Score:3, Informative)
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. - I can give an advice even without an expensive investigation. Do not use MS IE, do not use MS Outlook, do not allow animated anything on your desktop and probably the best thing to do is to finally just plain not to use MS, but in many cases it is not an option.
Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed. Turn off all animations, turn off 'show content while dragging window' option, switch to 'classic' look for the look of the Explorer, make sure that there are no thumbnails, switch to 'details' in the Explorer, make sure to show extensions on all files, make sure to apply to all folders and turn of 'Remember each folder settings' option.
I am not certain that this will prevent this particular problem, but not using IE and Outlook most likely would (while using other email clients do not allow active content to execute and do not trust attachments ever.) It's a real pain, it would be much better to run MS Windows in a virtual machine on GNU/Linux (VMWare I suppose.)
Re:First Pwndst (Score:1, Informative)
Re:First Pwndst (Score:1, Informative)
Re:Only affects rendering using the IE engine... (Score:2, Informative)
Re:goddam hackers (Score:5, Informative)
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.
The concept is simple actual practice is hard.
A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.
Re:The Solution is Amazing (Score:2, Informative)
Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.
By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.
Who needs animated cursors, anyway?
Re:This old? (Score:4, Informative)
So, their problems with animated cursors are really old, back to the NT 4 era.
Caution (Score:5, Informative)
http://www.secureworks.com/research/threats/gozi/ [secureworks.com]
This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.
Re:What's to investigate? (Score:3, Informative)
I don't know that there is any way to turn that off in IE or Outlook using IE's rendering.
Re:Why would my cursor run as root? (Score:4, Informative)
It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".
Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.
Re:What kind of mouthbreather would even... (Score:3, Informative)
I don't know that there is any way to turn that off in IE or Outlook using IE's rendering.
IE loads animated cursors via CSS (Score:5, Informative)
body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">
You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified
I am almost positive there is no way to disable this in IE.
IE protected mode (Score:2, Informative)
Protected mode IE *does* have the ability to read anything that the user would regularly have access to, and through a helper application (ieuser.exe) is able to ask the user to download files or change IE settings. And anything else the user does in that particular IE process can be read or altered.
So with protected mode IE the vulnerability does allow the execution of arbitrary code and it can steal your data files, but it can't write to your regular files or system files.
Re:IE loads animated cursors via CSS (Score:3, Informative)
Re:Why would my cursor run as root? (Score:3, Informative)
It is on by default for all but the trusted zone.
That leaves at least 95% of the installed base of desktops vulnerable.
Or you know.. not..
There seems to be about 15% of us that are just so crazy we switched our browsers to Firefox or Opera... I would recommend it.
Re:This old? (Score:4, Informative)
Re:IE loads animated cursors via CSS (Score:5, Informative)
Re:Why would my cursor run as root? (Score:5, Informative)
Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.