Windows Vulnerability in Animated Cursor Handling 338
MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."
First Pwndst (Score:2, Insightful)
Why would my cursor run as root? (Score:5, Insightful)
This old? (Score:5, Insightful)
Re:First Pwndst (Score:4, Insightful)
Re:This old? (Score:5, Insightful)
Why does it get to be this bad? (Score:4, Insightful)
Some stupid consumer protection council reports that some part of some toy can come apart and present a choking hazard to children. "As many as 3 children could have died over the last 10 years because of this!" Suddenly all news organizations act as though the sky has fallen, and on slow news day, it is even the lead story! Here we have a hazard that could get your machine rooted and pwned and steal your password and sell it in the organized crime networks, ... and the world reacts with a collective shrug.
Sorry, for the rant, I know I am preaching to the choir, just need to get it off my chest.
Re:This old? (Score:3, Insightful)
Re:This old? (Score:5, Insightful)
Re:Why would my cursor run as root? (Score:5, Insightful)
Re:What's to investigate? (Score:5, Insightful)
That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X.
You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.
Re:Why does it get to be this bad? (Score:2, Insightful)
Re:What kind of mouthbreather would even... (Score:3, Insightful)
Re:goddam hackers (Score:5, Insightful)
I was going to try to be calm and rational about this, but screw it.
It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).
You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.
Seriously. Quit before you break something.
Re:Why would my cursor run as root? (Score:5, Insightful)
Un-fragging-believable! (Score:5, Insightful)
If you told me it was in the Aero "glass" interface, I'd be more amused. Not that the eye-candy is worth exposing a machine to security risks, but the new interface could improve user efficiency, or be a step in that direction - I'll accept the risk presented as a step along the way to a better interface.
If it was something in the kernel or one of the system utilities, I'd accept that. Hundreds of executables, thousands of source files, millions of lines of code - sure, I can see somebody missing a bug in "ipconfig" or something like that - happens to every OS eventually.
The vulnerability has to do with handling animated mouse cursors?!? Uh, how the )$(*% do you screw up mouse event handling badly enough to permit an OS exploit? Just how important are animated mouse cursors to the end-user experience? Important enough to risk OS/system stability and integrity to have a spinning hourglass?
I'll say this for Redmond - this vulnerability certainly has a huge "Wow" factor in my opinion. It's all about the "Wow", you know . . .
Re:Why would my cursor run as root? (Score:2, Insightful)
You're missing the point, so are many others. If it runs as root/admin it means it can easily makes itself completely invisible to the system. Fake infos given to an anti-virus, etc. Completely stealth. It also means it can spy you silently in the background. If an exploit is root, the only way to detect it is from another system. You simply can't trust your OS anymore, unless you reinstall everything from scratch. What makes you think a local exploit would detect your data or a root exploit would trash your whole OS? This is not what exploit do. Exploits nowadays are used to zombify machines (way more effective when the exploit is a root exploit) and to steal user data, to fake your identity. Also much more likely to succeed if the exploit is root (on some OSes, including some Windows version, you can't install a key-sniffer unless you're root).
What is worse to you: having all your data stolen/erased once or having all your passwords sniffed, everything you type spied for months and regularly sent to some bad guy and having all your personal data sent and then, at one point, deleted?
The level of short-sightedness of your comment is quite sad. Oh, and my data are backup up daily to a server running in a VM and weekly burned on DVD. If deleting your user dir is "digital death" for you, you'd better learn 101 about backups and also, probably, invest in some RAID setup (you do realize that, if a trojan destroying your data would be "digital death" [sic] to you, a nasty hard disk could "digitally kill you" right?)
And anyway, on most systems, once you've got a remote non root exploit it is usually easy to combine it with a local root exploit... So it is true that I don't care very much about wether the exploit is root or not: I'd consider a Unix with a seamingly non-root exploit exploited to have been completely rooted and so do I for Windows machine.
Why you should care (Score:1, Insightful)
However, if a user account is pwned, you cannot trust your data. Either scan or load from backup.
So that's why you don't want "root" compromised.
And that is without going in to things you just can't DO as a normal user (raw sockets or even bind to ports 1024)...
Ah yes (Score:3, Insightful)
Re:Why would my cursor run as root? (Score:1, Insightful)
Don't worry ! (Score:4, Insightful)
RTMF (Read The Mitigating Factors) !:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
See, much ado about nothing !:
- the attacker would have to host a web site [surely, they couldn't, could they !]
- the attacker could compromise a web site [probably they would not know how to, would they !]
- the attacker has no way to force the user to visit a specific website [see !]
Especially the latter gave me complete relief and peace of mind ! I can't be forced, that means I am as good as safe ! Yahoo !
- the attacker would need to persuade us [just told my wife not to answer the phone or door bell]
Not running my web browser as administrator [I don't] seriously limits the potential damage, thanks to Vista's unique feature of unprivileged user accounts.
Thanks, Microsoft, for an informative advisory; and a comprehensive and clear list of mitigating factors !
Thanks, Microsoft, for debunking so-called "extremely critical" vulnerabilities as myth, again !
Re:Why would my cursor run as root? (Score:5, Insightful)
http://www.checkpoint.com/defense/advisories/publ
But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.
Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.
LoB
Re:Why would my cursor run as root? (Score:4, Insightful)
Let's see.
Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?
If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.
It already haven't been. The guys who found the exploit say [determina.com] that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.
It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.
Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?
HOW? Because, you know, your very own [microsoft.com] security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!
Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.