Windows Vulnerability in Animated Cursor Handling

MoreDruid writes "Secunia reports a vulnerability in Windows Animated Cursor Handling. According to the linked article, the rating is "extremely critical". Microsoft has put up their own advisory on the subject, confirming this is a vulnerability that affects Windows 2000, XP, 2003 and Vista. The exploit has already been used in the wild. From the Secunia page: The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message. Successful exploitation allows execution of arbitrary code."

First Pwndst

[Anonymous Coward]

So much for Vista being secure from the ground up!
 

Re:First Pwndst

[Luscious868]

So much for Vista being secure from the ground up!

Vista is secure from the ground up ... just so long as your running it in a VM on some other OS.

Re:First Pwndst

[Anonymous Coward]

It was. The vulnerability still affects Vista, but due to the different security subsystem the exploit can't really do anything. It sits stuck in a "protected mode" IE7 instance which can't do anything, not even fuck with the current user's profile. The exploit is effectively contained at that point.

Even if the user were to download the cursors and run them locally the effect would be minimized because, by default, a user, even a member of Administrator, is jailed. The user's profile would be vulnerable at that point, but system stuff would not be.

You can't stop vulnerabilities, but you can mitigate the result, and Microsoft has actually done a really damned good job at this in Vista.

Re:

[Giometrix]

"That is only if protected mode is on right.. so all this allows the 'sploit to do is download all of the user files and use /view any other process that the user has right to?"

I believe you're always in "protected mode;" even when you're on an admin account you're still not in "super user" mode.

Re:First Pwndst

[Bungie]

The UAC dialog would not be shown in this case. The UAC box only is shown when a process is initially created, to define the level of permissions the process will run under. A process cannot elevate it's permissions while it is already running. If the process tries to access a restriced area of the filesystem/registry etc while it is already running under these permissions the API call will be denied.

Re:

[devilspgd]

Files can be restored easily -- Right click, choose "Previous versions" and go nuts. Harrah for shadow copies.

FIrefox?

[leuk_he]

Is Firefox vulnerable? Or does FF not support animated cursors? Or did it required click to download/view some file in the first place?

Re:First Pwndst

[Frizzle Fry]

IE is safe in Vista because it runs in a super locked-down "protected mode". Windows Mail (aka Outlook Express) doesn't, so it makes sense that IE7 in Vista is immune to this but Mail isn't.

Why would my cursor run as root?

[Dr. Zowie]

Huh? This boggles the imagination. I would have thought they'd have learned about security rings while rebuilding their entire OS from the ground up (as Longhorn was reputed to do).

Re:Why would my cursor run as root?

[FreshMeat-BWG]

Who cares if it runs as root or not? It really doesn't make too much of a difference except on a multi-user system. I don't care about my OS installation--that is easy to do again. What I do care about is my data. Deleting or corrupting files in my user profile directory (C:\Documents and Settings\user\* or /home/user/* -- take your pick) is digital death for me (assuming a backup will not restore properly or new data hasn't been backed up yet).

It seems like every time someone comments about a security hole on Slashdot the response is along the lines of "Well, if this doesn't result in a root exploit, it isn't all that bad". If you agree with that statement, then go ahead and issue "rm -rf ~".

Computers input, store, manipulate, and output data. My data is important to me. Arbitrary code execution regardless of whether in my user context or a context with superuser privileges is a threat to that data.

Re:

[Anonymous Coward]

Who cares if it runs as root or not?

You're missing the point, so are many others. If it runs as root/admin it means it can easily makes itself completely invisible to the system. Fake infos given to an anti-virus, etc. Completely stealth. It also means it can spy you silently in the background. If an exploit is root, the only way to detect it is from another system. You simply can't trust your OS anymore, unless you reinstall everything from scratch. What makes you think a local exploit would detect

Re:Why would my cursor run as root?

[Rutulian]

Well, as another poster already said, it would be best if untrusted applications (like web browsers) were run as a different user from your main account. The only way it could access your data would be to require a password for privilege escalation. Unfortunately I don't know of any OS that does this. SELinux is neat, but I'm not sure it can do this without being overly restrictive.

Anyway, I think the bigger issue, though, is that root is bad. Not just for multi-user systems. The reason being because most malicious attacks are not aimed at running "rm -rf ~". They can, but that is not really in the interest of most of the people writing these exploits. They are interested in installing spyware, malware, and rootkits...all of which require root/administrator privileges. Other things too, like getting into the system logs and messing with memory owned by other processes, that help a cracker find and take advantage of exploits also require elevated privileges. So if your exploitable program simply runs as an unprivileged user you can get rid of a lot of these problems. It won't get rid of all problems, but it would help significantly.

Re:Why would my cursor run as root?

[shutdown -p now]

Writing a secure browser is inherently difficult, particularily if you want to execute untrusted code, run complex parsers, or run neat active features.

Let's see.

• Internet Explorer 7 [secunia.com]
• Firefox 2.x [secunia.com]
• Opera 9 [secunia.com]

Well, your competition has fared better so far - no critical vulnerabilities, and a lower number of unpatched ones. Opera is doing particularly well, it seems. It's still obvious from those graphs it's not all roses, but c'mon... surely Microsoft, with its resources, can do better at security than some small company from Norway?

MS took an enormous step in security with their release of IE 7

If you mean sandboxing, then it's only a half-measure, and not something I'd raise in this case if I were you. It is essentially saying, "we can't write secure code, so let's at least sandbox it". Not that sandbox is a bad idea, I very much like it, but this bug shows that more, shall we say, traditional approaches to security (like writing good code) were not explored as much as they could've been.

This bug would appear to involve one of those neat features. I have no doubt that it will be fixed in a timely manner.

It already haven't been. The guys who found the exploit say [determina.com] that they discovered it in December 2006, and immediately alerted Microsoft. They did not publicly disclosed the bug then, and it only surfaced now when it turned out that there were already exploits out in the wild for it. So it's been more than 3 months now, for a bug which should be rated critical under any system (remote code execution is a big deal). And yet we still have no patch. That is not an acceptable way of handling such a serious problem.

In protected mode IE, the process is running at a low integrity level. As such, it cannot write to normal integrity level items, and hence your data is reasonably safe from direct tampering.

It cannot erase my data, sure. Who but an angsty script kiddy would want to destroy my system, anyway? It can still read data from my home folder though, can't it? Things like, say, accounting software databases which are often kept under "My Documents" - could be handy, those credit card numbers.

Or one could just fashion a zombie machine. I would imagine that IE, even in protected mode, can open TCP connections to any host and on any port, right? SMTP not excluded?

Until a patch is released, turn off active cursors.

HOW? Because, you know, your very own [microsoft.com] security advisory only has such pearls as "Do not visit untrusted websites or view unsolicited email". It says nothing about how to turn the feature off, and whether it is indeed even possible. There were a couple of posts in this discussion about how it can't be done at all, but if you know otherwise, please share (and I'm sure that if you can get that SA updated, it won't hurt either)!

Only for sites that I trust do I enable additional functionality, using IE's zones model, a capability I do not find in Opera or FireFox, which I have used extensively.

Possibly because e.g. Opera (which I use personally; can't vouch for Firefox) is safe enough to view any website without risk, as it should be? Exploits happen, of course, but much rarer than they do with IE, and the Opera guys are really good at getting them patched fast.

Note that before I joined MS, I was only a modest MS user. After my experience with Apple - an iBook that burned through 4 motherboards and never ran more than 9 months without rep

Re:Why would my cursor run as root?

[Locutus]

you this that's bad, there was another security flaw in the mouse code announced over 15 months ago( Jan 05 ). They patched that but never examined the code for other exploits. I mean really, if you've got SOOO much freaking legacy code, you'd atleast want to be refactoring what you have to touch because of bugs or, for example, security holes.

http://www.checkpoint.com/defense/advisories/publi c/2005/cpai-2005-06.html [checkpoint.com]

But, the great minds at Microsoft and their Trusted Computing efforts appear to be spending more time on marketing and public relations and less time on even attempting to make a better product. It's bad enough that the mouse code is an attack vector but to just put a band aide on it and send it right into the Windows Vista product is just plain bad.

Remember, Vista was said to be the most secure operating system available. Not the most secure version of Windows but the most secure operating system. And yet they are letting relatively small bits of code like this mouse code get through their masterful security techniques. Well, I guess that is why they've decided their security system will be based on a billion sandboxes instead of secure model for the whole... What a joke.

LoB

Re:Why would my cursor run as root?

[644bd346996]

What part of "Successful exploitation allows execution of arbitrary code." do you not understand? This is a hole that lets crackers do a lot more than crash your computer.

Re:Why would my cursor run as root?

[Anonymous Coward]

What part of "Successful exploitation allows execution of arbitrary code." do you not understand?

Successful.

Re:Why would my cursor run as root?

[spun]

Microsoft's advisory says that IE7 runs in protected mode in Vista, thus it is "protected from currently known web based attacks" and the exploit can only crash the browser not execute arbitrary code. It's in the "Mitigating Factors for Animated Cursor Vulnerability" section.

"In Protected Mode, Internet Explorer 7 in Windows Vista cannot modify user or system files and settings without user consent." -- From the Windows Vista: Features Explained site.

Unless of course the user has been driven insane by all the "Cancel or Allow?" questions and would readily click "Allow" even in a dialog box asking, "Your computer would like to strangle you with its power cord. Cancel or Allow?"

Re:Why would my cursor run as root?

[644bd346996]

Sure, but this is still a zero-day exploit for everybody who hasn't upgraded to Vista, and everybody who hasn't turned on IE7 Protected Mode. (The MS website seems to imply that IE7 Protected Mode is not the default). That leaves at least 95% of the installed base of desktops vulnerable.

Re:

[Afecks]

The MS website seems to imply that IE7 Protected Mode is not the default

It is on by default for all but the trusted zone.

That leaves at least 95% of the installed base of desktops vulnerable.

Or you know.. not..

There seems to be about 15% of us that are just so crazy we switched our browsers to Firefox or Opera... I would recommend it.

Re:Why would my cursor run as root?

[klubar]

FYI... protected mode is the default. You have to try pretty hard to disable it... Of course Adobe in their infinite wisdom requires you to turn off protected mode to be able to write PDF (using acrobat) from IE. More adobe's fault than anything else.

IE protected mode

[Anonymous Coward]

That's not quite true. The vulnerability does allow execution of arbitrary code, however protected mode IE limits the scope of what the running code can do. With protected mode IE, IE (and any processes spawned by IE) cannot write data to arbitrary locations, cannot send window messages to arbitrary windows on the user's desktop and cannot take advantage of most of the abilities that most users have. This applies even if the user is an administrator.

Protected mode IE *does* have the ability to read anything

Re:

[Joe The Dragon]

The flash plugin seems to need Protected mode turned down or off to work so hacking may code it to use plug in to hack into the rest of the system and flash is used so many web sites that people can't do with out it.

Re:IE protected mode

[shutdown -p now]

It could also turn your IE into a spambot. Now, sure, it will only last for as long as that copy of IE is running, but some creative modification of IE cache (to which it also obviously has access) to insert the required code into a few most visited .html files - say, the user's home page - should make sure that every time IE is started, the exploit gets applied again.

Surprise, Windows Listed as Most Secure OS

[ballmerfud]

Surprise, Windows Listed as Most Secure OS [slashdot.org] ... just don't move the mouse.

Re: Surprise, Windows Listed as Most Secure OS

[CoolVibe]

Surprise, Windows Listed as Most Secure OS [slashdot.org] ... just don't move the mouse.

and pull the network plug out while you are at it. More security :)

Re:

[rblancarte]

Yes, but that is a given with any computer (Linux, Mac or Windows). Hence the saying that the most secure computer is one that is off, not plugged into anything (including a keyboad, monitor or wall outlet) and locked in a vault.

IMHO, while the actual exploit might be new, haven't things like animated cursors always been among things you wanted to avoid due to the malware they come with? This just makes them worse.

RonB

Pfff. Locked in a vault?

[spun]

The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.

Hardly!

[Petersko]

The most secure computer is turned off, unplugged, buried a mile deep in an asteroid somewhere in the Kuiper belt, ringed by defensive lasers, orbited by a swarm of nuclear smart mines and guarded by a whole company of battlemechs.

That's far too much technology that needs to be trused. What if the protective equipment is compromise, and the battlemechs dig the computer up using the mines and the lasers, and then install a Sony rootkit on it?

No, the most secure computer would be one unharmed while eve

Good heavens...

[Petersko]

trused? compromise? Mornigs suk as.

Re:

[lostboy2]

What if the protective equipment is compromise, and the battlemechs dig the computer up using the mines and the lasers, and then install a Sony rootkit on it?

True, because, as we all know, battlemechs love Celine Dion [bbc.co.uk].

Re:

[morgan_greywolf]

and pull the network plug out while you are at it. More security :)

While you're at it, pull out the cable attached to the power supply....Windows Vista Ultimate Security! ;)

This old?

[LinuxGeek]

With exploits as old as this one, it makes me wonder just how many high level hackers/crackers have used this in silence over the years. It could pay very well to keep ploits such as this one silent for as long as possible.

Re:This old?

[truthsearch]

This is a perfect example of how using Microsoft's official list of exploits is a mostly meaningless metric to determine how secure the OS really is. It gives no indication of security holes being secretly exploited for years.

Re:This old?

[LilGuy]

If it were true that this was exploited for years, why would it come out now? Has something even better been found and thus this one can be trashed?

Re:

[ergo98]

If it were true that this was exploited for years, why would it come out now?

Someone got too greedy? They targeted a rare individual that was more vigilant about their machine?

Re:This old?

[fuzz6y]

Because one of the "good guys" finally found it and reported it. The "bad guys" weren't ever going to squeal.

Re:

[Anonymous Brave Guy]

That's true, but it's true of any exploit list. After all, how would the list maintainers know if something were secretly being exploited for years?

Re:

[truthsearch]

That's true. My point wasn't specific to Microsoft. I just used them because they're the subject of the post and such an easy target. ;)

Re:

[LoudMusic]

This is a perfect example of how using Microsoft's official list of exploits is a mostly meaningless metric to determine how secure the OS really is. It gives no indication of security holes being secretly exploited for years.

That goes for the UNIXes as well.

Re:

[rbochan]

A decade ago it was screensavers... you've come a long way baby...

Re:

[Just Some Guy]

It could pay very well to keep ploits such as this one silent for as long as possible.

What makes you think they didn't?

Re:This old?

[alexhs]

Also this is not the first flaw affecting animated cursors. I remember having read about that a few years ago. Googling "animated cursor flaw" gets me to 2004-12-29 [windowsitpro.com].
So, their problems with animated cursors are really old, back to the NT 4 era.

Re:

[pallmall1]

Shit, I forgot this is /. and only English majors are allowed, sorry for damaging your retinas.

/.?
WTF is /. :)

Oblig.

[zlogic]

In Soviet Russia, cursors pwn you!

Actually

[gcnaddict]

Unfortunately, since cursors pwn you in the US, the statement must be revised (rather ironically) to:

In Soviet Russia, you pwn cursors!

See, since that doesn't exactly work with the other Soviet Russia jokes, there's no reason to post it here. You pwn cursors and cursors pwn you in the US. Now, if we replaced cursors with mice and you with your food, then we have a more appropriate USSR joke.

Correction

[towsonu2003]

In Soviet Russia, cursors pwn you!

Correction: In Soviet Russia, you pwn cursors! So you might want to live in Soviet Russia... Sorry.

The Solution is Amazing

[neoform]

>Solution: Do not browse untrusted sites or view untrusted e-mails.

Nice, so basically I'm not supposed to read any emails from people I don't know. Sounds like a viable solution.

Re:

[penp]

If you read the link [microsoft.com] to Microsoft's advisory about the exploit, it sounds like you're not even supposed to trust email from people you do know.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.

On top of that, if you read further it starts to sound like a scheme they're using to try to sell more copies of Windows Vista.

Mitigating Factors for Animated Cursor Vulnerability

Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.

By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.

Who needs animated cursors, anyway?

Re:

[Yvan256]

And since you can fake web adresses (at least for Internet Explorer) and fake email adresses (nobody is immune), you can't do anything at all.

The real solution is to disconnect your computer from teh intarweb.

Re:The Solution is Amazing

[ehaggis]

Don't use a cursor, just guess where your mouse is pointing.

Vista Security.

[jellomizer]

I though Vista was supposed to be the most secure OS ever. But animated mouse icons? I wonder what part of protected memory microsoft doesn't understand. It is probable due to some speedup fix so it can beat the benchmark tests. Normal use we don't see a problem but sacrifice security so it can beat the benchmark tests so it can say it is faster.

Re:

[cnettel]

Let me ask a counter-question: What part of a user-mode exploit don't you understand? What I want to know is to what degree the reduced privileges of IE in Vista (confusingly also called "protected mode") makes direct exploitation of this harder.

Re:

[jellomizer]

Protected memory should prevent memory from each object from interfearing with each other. Not by user. User Mode security is just as bad as system level. Except it just doesn't have full access. But the bulk of your important information is accessable via your user account. The mouse images and animation should be in its own seporate memory block that can only be accessed via controled input calls. When the input is given it then should be checked to insure the format is sane. Finally this control shou

Re:

[cnettel]

Ok, but then you don't only ask for protected memory, but a microkernel and lots of server processes. Changing page tables on the fly to do this, while keeping the number of processes low, is completely unthinkable on current architectures. As we have no actual production OS even close to the granularity you're requesting here, the question is not what part of protected memory MS doesn't understand. In this case, they understand, and use it, in pretty much the same way as "everyone" else. (If it had actuall

Re:Vista Security.

[rajafarian]

I though Vista was supposed to be the most secure OS ever.

Nope. I watched their lips and every time they said, "Vista will be the most secure Microsoft operating system ever."

I think this was carefully worded by them so they could say it with an honest face.

Re:

[honkycat]

I'm not sure about even that -- how many remote exploits did MS-DOS 2.0 have?

Only affects rendering using the IE engine...

[bubbl07]

From a McAfee Avert Labs blog article:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

Moral of the story: don't use the IE rendering engine for cursors by avoiding using the IE web browser and by not using untrusted animated cursors in Windows.

Re:

[bubbl07]

My apologies, article here [avertlabs.com].

Re:

[netsharc]

Isn't it great how Microsoft's suggested workarounds only say "View E-Mail in plain-text, don't visit untrusted sites" (even though they claim beforehand an attacker might also try to hijack trusted sites to deliver the exploit).

Guess they can't write the obvious, "Use an alternative browser and/or email client.". Hah, what a Dubya-ian world they're living in.

So I'm assuming the way to exploit it is with CSS's cursor [w3schools.com] property:
cursor: url('some-bad-file.ani');
I'm guessing Firefox has its own animated cursor

Why does it get to be this bad?

[140Mandak262Jamuna]

Well, one can understand programmers making stupid mistakes, and creating vulnerabilities. And everytime you add features, whether it is important or just bells and whistles, you always run the risk of opening up another vulnerabilities. Granting all that, why is it that, in 2007, after Vista, with "Security is Job 1 in MSFT", why does a vulnerability in a browser goes all the way up to executing arbitrary code? Browsers are expected to get data from untrustable sites, they should have heavy armour protection. Why the users are putting up with this nonsense?

Some stupid consumer protection council reports that some part of some toy can come apart and present a choking hazard to children. "As many as 3 children could have died over the last 10 years because of this!" Suddenly all news organizations act as though the sky has fallen, and on slow news day, it is even the lead story! Here we have a hazard that could get your machine rooted and pwned and steal your password and sell it in the organized crime networks, ... and the world reacts with a collective shrug.

Sorry, for the rant, I know I am preaching to the choir, just need to get it off my chest.

Supposedly the newest code does prevent it

[Beryllium Sphere(tm)]

Microsoft's advisory claims that IE7 in protected mode isn't vulnerable.

Re:Why does it get to be this bad?

[DoofusOfDeath]

No doubt you aren't a programmer, and wouldn't really grasp how complex a piece of software like a web browser really is,

Even if you're a programmer, you're still out of your league on this one. Only a plumber could understand the series of tubes that make up the Internet.

Re:

[tijmentiming]

You missed the point. He only says it's weird that people shrug when software is insecure. It's a not a rant to microsoft, but to people who shrug.

Re:

[140Mandak262Jamuna]

Yes, Sir, I read the article.

Successful exploitation allows execution of arbitrary code. NOTE: The vulnerability is currently being actively exploited.

That is why the rant. Crash on imperfect input? I will accept that.

Re:

[140Mandak262Jamuna]

It used to be, browsers were used mainly to access information on the 'net and the most damage that will happen to you would be your computer might crash or net wont be available. It is not such low impact scenario anymore. Bank accounts and brokerage accounts are being accessed and controlled by the browsers by millions of people every day. The real serious hackers who know enough to take advantage of these exploits are not your typical script kiddie out to have some fun or make a name of himself. They are

Re:

[porkThreeWays]

Well, I think the idea was that the world has its priorities skewed. Statistically your child would have an insignificant risk if millions of children were playing with this toy. You should be more worried about your children getting common childhood disease that could kill them. Likewise, getting your personal information stolen can make your life hell. Would you be more worried about your child having a .00001% chance of choking on a toy, or a 5% chance of having your ATM card stolen? If you said the form

Re:

[Rob the Bold]

You're not seriously comparing getting passwords stolen with a child's death, are you?

I was wondering when someone would pleeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeease think about the children. Thanks.

What kind of mouthbreather would even...

[straponego]

...install an animated cursor in the first place? Okay, besides the CEO.

Re:

[Torodung]

Actually, it's pretty useful for the "wait" cursors, because you can tell if the system has crashed or is stuttering badly. I use it for both the "Working in background" and "Busy" signs. If the hourglass stops moving, and sometimes it does, even if mouse control still works, you know you're waiting for nothing. It was more useful with Windows 95 and 98, but I still use it in XP.

(Actually, I use a set of modified Mac OS 8 icons, including black arrows and the classic "watch" icon, but I use hourglasses here

Re:

[Rob T Firefly]

I'll own up and admit to having used exclusively animated cursors in the past... but then again, I was a mouthbreathing teenager in the mid 1990s with my first Pentium. I also had Star Trek WAVs hooked to all my Windows events, ran After Dark's screensaver app at all times, used any excuse to look things up Compton's Interactive Encyclopedia CD-ROM, and obsessively hoarded Voyager publicity photos from Compuserve. A few blinky wiggly pointers shaped like phasers and lightsabers were the least of my crimes

Re:

[gEvil (beta)]

...install an animated cursor in the first place? Okay, besides the CEO.

My cursor is a big punching glove. It makes hitting that damn monkey that much easier...

Re:

[illegalcortex]

What kind of mouthbreather would even install an animated cursor in the first place?

I'm not sure that's really the problem. Wouldn't either of those articles have listed it as a workaround if so? I think this is the actual problem:

With Microsoft Internet Explorer 6 or 7 you can use your own animated or static cursor on your webpage instead of the standard system cursor. All you have to do is add a little code to your HTML-documents or the CSS-stylesheet and upload the cursor file (*.ani or *.cur) to the w

What's to investigate?

[roman_mir]

Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. - <sarcasm>well, we all know not to open specially crafted e-mail messages and attachments.</sarcasm>

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. - I can give an advice even without an expensive investigation. Do not use MS IE, do not use MS Outlook, do not allow animated anything on your desktop and probably the best thing to do is to finally just plain not to use MS, but in many cases it is not an option.

Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed. Turn off all animations, turn off 'show content while dragging window' option, switch to 'classic' look for the look of the Explorer, make sure that there are no thumbnails, switch to 'details' in the Explorer, make sure to show extensions on all files, make sure to apply to all folders and turn of 'Remember each folder settings' option.

I am not certain that this will prevent this particular problem, but not using IE and Outlook most likely would (while using other email clients do not allow active content to execute and do not trust attachments ever.) It's a real pain, it would be much better to run MS Windows in a virtual machine on GNU/Linux (VMWare I suppose.)

Re:What's to investigate?

[rbochan]

...Really, who uses animated anything on their desktops? It is always a performance hit. I completely disable all active desktop features immediately before using a computer with MS Windows installed...

That's fine for you, but have you seen an average consumer machine recently? Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed - usually via Active X.
You _are not_ the average user - the statement you made above proves that. The 'average joe' thinks his computer is appliance, like a toaster, because Bill Gates tells him it is.

Re:

[Trailer Trash]

Everything from animated wallpaper to rotating slide shows to OMGPONIES!!!!!! themes get installed

We're two days away from April 1st, let us enjoy these days while we can...

Re:

[illegalcortex]

do not allow animated anything on your desktop

I'm not sure that's really the solution. Wouldn't either of those articles have listed it as a workaround if so? I think this is the actual problem:

With Microsoft Internet Explorer 6 or 7 you can use your own animated or static cursor on your webpage instead of the standard system cursor. All you have to do is add a little code to your HTML-documents or the CSS-stylesheet and upload the cursor file (*.ani or *.cur) to the webserver.

http://www.anicursor.com/web

Displaced Hot Spot

[G4from128k]

It would seem that any remotely defined cursor could be used maliciously by displacing the hotpoint relative to the cursor graphic and encouraging the user to click on something "safe" when the real hot spot for the click is elsewhere over something untrustworthy.

Criminals using this vulnerability ?

[Rastignac]

Our security expert, Jackson M., just tolds us:
" So, ANI are you ok ? Are you ok ANI ?
    You've been hit by... you've been hit by... a smooth criminal ! "

A workaround for this...

[Anonymous Coward]

A workaround for this is to install some quality cursors.
I use the comet cursor package that installed itself automatically when I browsed the web.
It has some great cursors and loads of other features that make using Windows far more entertaining.

I have not been able to remove or alter the comet cursor package since it installed itself, so I think it will protect very well against other cursors getting installed on my computer.

I can hear Ballmer screaming...

[xactuary]

Cursors? Foiled again!

Re:

[erroneus]

Damn you! I have been waiting YEARS to do that one!!

Damn you! Damn you all to hell!!

Solution: "You are trying to move the mouse..."

[Anonymous Coward]

[Cancel] or [Allow]?

Stop the animated scrolling up and down

[BanjoBob]

thursdays update killed my system. every window scrolls up and down at 1000 mph. you can't click anything at all. so who cares about an animated cursor -- i need to stop the animated window. oh, i'd like to get my shift keys working again too. they are now backup to previous window keys. thanks microsoft

Caution

[Alioth]

If you think you're not vulnerable because you won't be downloading an animated cursor, or you're not vulnerable because you have AV software, read this:

http://www.secureworks.com/research/threats/gozi/ [secureworks.com] ...which has a similar infection vector (by merely visiting a web page you get infected), and went undetected for 54 days.

This latest silent exploit, which can be used by merely visiting a web page, will be used for other similar attacks.

Re:

[illegalcortex]

Near as I can tell, this doesn't take you downloading an animated cursor. There's IE-specific CSS code that allows you to replace the cursor in IE. You can't turn it off. If only MS had added that as an option, we'd at least have a workaround.

This doesn't include all cursors...

[192939495969798999]

I'm sure that those "free animated george bush cursors" ads that pop-up when I'm surfing around are safe from this, right?

Is there nothing that can't be exploited in MSWin?

[Viol8]

Processes you can understand having exploits, no coders are perfect. But how the hell have they exposed the underlying cursor API/buffer so that someone can make an exploit out of it except via some idiotic and stupid design decision?? This really beggars belief. If the even the cursor is vulnerable is there *anything* that can be trusted to be secure on a windows PC apart from the OFF switch?

IE loads animated cursors via CSS

[illegalcortex]

For those people saying "turn off animated cursors" and such, I don't think that's a solution. IE allows a webpage (or email if you're using the IE rendering engine in Outlook) to replace your cursor using some IE-specific CSS code. It's as easy as changing the background for a webpage. Examples:

body {cursor: url('cursor.ani');}
<BODY style="CURSOR: url('cursor.ani')">
<BODY style="CURSOR: url('http://www.example.com/cursor.ani')">

You can do it for the <BODY> element, or for other elements like <A>s. It then loads the specified .ANI file which exploits the hole in IE.

I am almost positive there is no way to disable this in IE.

Re:

[illegalcortex]

You could probably block the easier ones, yes. But first off, I'm not sure the file has to be named with a .ANI extension. Second, it's probably you could do the CSS via javascript rather than have it hardcoded like in my examples. Doing these two things would make scrubbing via a proxy much more difficult.

Re:IE loads animated cursors via CSS

[lostboy2]

SANS [sans.org] says they've received reports of the "vulnerability being exploited in the wild using files renamed to jpeg". So, yeah, I think you're right (proxy won't help, unless you're going to block jpegs too).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Another stupid buffer overflow...

[GogglesPisano]

It boggles the mind that (fully patched) XP, IE7, and Vista are still vulnerable to buffer overflow attacks. It's 2007 for god's sake, not 1987.

Any use of a stack-based static-sized buffer should have thrown up huge red flags during code review. To have unchecked use of a static buffer make its way into production code is inexcusable in this day and age, particularly at Microsoft.

Ah yes

[loconet]

Although I use Linux exclusively at home/work, here I am, silly fool, giving the benefit of the doubt to Vista and its "enhanced security". I've always been aware IE's ability to create holes in the most unrelated portions of the OS (cursor, help pages, etc) and yet, I thought that Vista, maybe, just maybe actually was worth its 5+years of development and it was not all spent in DRM crap. How foolish of me. Here is yet again another seemingly unrelated functionality affected by the disaster that is IE. I will not be surprised if tomorrow IE can make your desk lamp vulnerable.

Don't worry !

[udippel]

The Microsoft Advisory - whom we all trust - shows that the fuzz here in /. is unnecessary.
RTMF (Read The Mitigating Factors) !:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

See, much ado about nothing !:
  - the attacker would have to host a web site [surely, they couldn't, could they !]
  - the attacker could compromise a web site [probably they would not know how to, would they !]
  - the attacker has no way to force the user to visit a specific website [see !]
Especially the latter gave me complete relief and peace of mind ! I can't be forced, that means I am as good as safe ! Yahoo !
  - the attacker would need to persuade us [just told my wife not to answer the phone or door bell]

Not running my web browser as administrator [I don't] seriously limits the potential damage, thanks to Vista's unique feature of unprivileged user accounts.

Thanks, Microsoft, for an informative advisory; and a comprehensive and clear list of mitigating factors !
Thanks, Microsoft, for debunking so-called "extremely critical" vulnerabilities as myth, again !

Boy...

[Zebra_X]

Sure am glad I just upgraded to Vista and Office 2007:

Mitigating Factors for Animated Cursor Vulnerability

  Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.

  By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.

I think the important thing here to note is that MS is actually delivering on it's promise to deliver a more secure OS and set of applications for users.

Re:goddam hackers

[jellomizer]

I guess you are not a student of Computer Science.
Every parameter from every possible input needs to be verified for its correctness. If there isn't you need a way of notifying the user or cleanly exiting the system to prevent cascading damage.

The concept is simple actual practice is hard.

A lot of the times these hacks are not found because they were looking for a way to hack the system but the realized there was a problem when they did something wrong but it didn't reutrn errors but had desasterious consequences.

Re:

[jellomizer]

That is why I said the concept is simple in practice it is hard. The point is these flaws are due to bad programming. In real world we do bad programming Global Varables, GOTOs, Linear searches on ordered lists, but when we get the problem we need to admit it is bad programming not say well its those nasty hackers fault for making my app do what I didn't want it do do. Image Processing use to be safe, but now with more and more options it is becoming a dangerious thing.

Re:goddam hackers

[Just Some Guy]

Guess you are STILL a Computer Scientist student. If you are doing something that has no impact on security (this is image processing dammit) the value of your software is in what it does, not in how it resists to every possible abuse.

I was going to try to be calm and rational about this, but screw it.

It's that kind of piss-poor attitude by jackass codemonkeys that causes these stupid, avoidable problems. If you aspire to be a programmer, quit now. You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).

You can either approach every single line of code you write by asking how it will be attacked, or you can write an OS that can be compromised by a damn mouse pointer. There is no in between. All the hoping and wishing and "gee whiz golly, no one would want to hack my code!" Pollyanna naivete in the world won't change it.

Seriously. Quit before you break something.

Re:goddam hackers

[david_g17]

You are not suited for it, and the best you can hope for is working in the field for a few years before your coworkers stab you to death in the parking lot (and no one will see a thing).

~David_g17 sharpens his spork...~

Re:

[sqlrob]

There's already been one for Clippy, or at least the underlying technology. They were scriptable and could execute arbitrary code.