Windows .ANI Problem Surfaced Two Years Ago

An anonymous reader writes "There's a new twist to the tale of Windows .ANI exploit, that's been in the news all week (including when a spam campaign used the teaser of nude Britney Spears pictures to lure people to malicious sites). InformationWeek reports the Windows .ANI bug at issue first surfaced — and was patched — two years ago, in early 2005. 'If they had simply looked for other references for the same piece of code when they originally dealt with it a few years ago, they would have found this and patched it in 2005,' says Craig Schmugar of McAfee. 'It would have saved a whole lot of people a lot of time, money and effort.' Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking."

How is that a lure?

[kypper]

when a spam campaign used the teaser of nude Britney Spears pictures to lure people to malicious sites

Talk about an anti-virus.
If all attempts to hijack my machine involved using her as a lure, I'd uninstall AVP in a heartbeat; you couldn't pay me to see her nude.

Re:

[Lehk228]

what does alien v. predator have to do with this?

Re:

[yurnotsoeviltwin]

I'm really hesitant to click that link because I feel like it would be totally in-character for /. editors to point a link entitled anything like "nude Britney Spears pictures" to an actual virus, just for kicks.

Re:How is that a lure?

[Lehk228]

no she's not a mermaiden, if anything she is closer to being a submarine, huge and full of sea men

Strange...

[__aaclcg7560]

The last time I saw an ANSI bug was during my days as a BBS Sysop years ago!

Re:

[morgan_greywolf]

The last time I saw an ANSI bug was during my days as a BBS Sysop years ago!

Actually, the ANSI sequence 'viruses' (which were done by remapping keyboard keys to macro sequences which then executed commands) are just another form of terminal sequence attack that was quite popular a few years back when many people were still using terminal-oriented mail readers like pine, elm and mutt. These were the good ol' days when ISPs passed out shell accounts for reading mail and such. It forced Linux distros to shor

Re:

[__aaclcg7560]

This is Slashdot! Dupes abound, stories recycled, and anonymous cowards nitpick!

a-HA!

[SeaFox]

InformationWeek reports the Windows .ANI bug at issue first surfaced -- and was patched -- two years ago, in early 2005....
Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking."

So now we can say that Windows actually had twice as many ANI bugs as we originally thought and Microsoft admitted so themselves.

Wouldn't that be

[eviloverlordx]

an .ANL exploit?

Re:Wouldn't that be

[EmbeddedJanitor]

No, it's a back door.

Oblig.

[iluvcapra]

Hello, Mr. Potato Head! Back doors are not secrets!

Nothing to see here..

[madsheep]

This has been written about multiple times in multiple places. Not to mention this was already referenced in the article from the Slashdot posting a few days ago. Keep it moving...

This ANI exploit is different!

[andrewd18]

Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking.

Of course this .ANI exploit is different... the one that came out in 2005 didn't affect Vista!

Incompetent Liars

[Jeremy_Bee]

The thing that bugs me the most about these kinds of issues is the reporting of them in the media.

If you read the slashdot summary (or even the whole first page of the article), you get the impression that some people think the bug is pretty much the same thing as the 2005 one and that Microsoft disagrees. The story is structured like a "He said, she said," kind of thing and no one is painted as right or wrong. If you *do* manage to make it to the second page of the article however, you find out that several very respected security professionals and security companies present detailed compelling evidence to the effect that Microsoft is both incompetent and disingenuous in their opinion on this bug.

It is the same bug (essentially) reported in 2005, and it should have been caught in a matter of hours or even minutes after the 2005 bug was initially reported to them. This by reason of Microsoft's own self-stated bug hunting and code modification procedures.

The conclusion is absolutely inescapable that Microsoft completely failed to follow their own basic rules of coding and security auditing here. They also are lying or at the very least splitting hairs about it being a "separate issue," and they seem to be deliberately trying to pull the wool over peoples eyes about it. Yet this story has been reported around the web as a kind of "maybe McAfee is right, or maybe Microsoft is right," thing for the most part??? Why?

On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is. It seems like this bug occurred because the same old *.ani code from the previous versions of MS Windows was included in Vista with literally no oversight and no checking.

Why do people buy products from these people again?
And why do they always seem get the benefit of the doubt in the media?

Re:

[Watson Ladd]

To answer the first question: API lock-in. A lot of strange hardware is windows-only, and the same with a lot of software. Microsoft might have horrible API's, but people use them to appeal to the Windows market, and so increase its size. Look at COM vs. Objective-C. The answer to the second question is because of the fear of a libel suit. You said the bug occurred because Microsoft didn't check it. Far more likely is they checked it incompetently. The difference is the difference between libel and truth. A

Re:

[networkBoy]

Do you have an honest belief that what you have stated is true?
If so there is no slander or libel. (A court ordered apology and forced publication of a correction in the same media that the initial comment was made may still be required, however).
-nB

Re:

[garobat]

On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is. It seems like this bug occurred because the same old *.ani code from the previous versions of MS Windows was included in Vista with literally no oversight and no checking.

Well, considering the mount of dialog boxes kept unchanged from XP and all, it seems pretty obvious that Vista is not "all new code". And what would be the point, as

Re:

[mypalmike]

I'm not using Vista, and I'm writing this on my Debian box. But this is ridiculous.

It is the same bug (essentially) reported in 2005, and it should have been caught in a matter of hours or even minutes after the 2005 bug was initially reported to them.

Do you write code? It sounds like some copy-and-paste code had a bug in it, and they didn't catch both places. They probably should have caught it, but they didn't. If they are incompetent merely because they have code that is exploitable by stack overflow

Re:

[Splab]

Or perhaps the issue was fixed in a branch, but for some reason never got committed to the main trunk(s).

Re:

[Tanuki64]

Do you write code? It sounds like some copy-and-paste code had a bug in it, and they didn't catch both places.

I do write code. And copy-and-paste code is always a sure sign of an incompetent coder.

Re:Incompetent Liars

[Bodrius]

Really? I write code for a living too, and a categorical statement of the form "doing X is ALWAYS a sign of an incompetent coder"... always seems to me, at best, a sign of an unexperienced coder. Either that, or an extremely lucky one.

I'll just assume your case is the latter :-)

Sure, copy-and-paste duplication should be avoided where possible, along with gotos, reinventing the wheel, long complicated functions, lack of type safety, etc.
Also, all code should really be a perfect and pristine example of elegance and modularity. Bug-free is even better!

Reality bites, though.

Unless we're talking of brand-new projects of a small size, I find it really hard to believe that comminiting to 0% copy-and-paste-code is a practical proposition.

For a non-trivial product with some legacy, copy-and-paste is often the best among various non-optimal choices.

- Do you really want to tightly couple these two unrelated components because you want to use those 5 lines of code?
- Can you afford to carry over all of the dependencies on that library or class?
- Or can you afford the refactoring to avoid those dependencies? How many new components (which were not changing before) do you need to retest now that you pulled the code out?
- Can you afford to lose that development and testing time on other features that you need for RTM?

    That's not to mention the almost-guaranteed design time discussing where that re-usable code should move to in the first place... and do we need to change it to make it more generic? Do we need to ship all the refactored components with no functionality change? etc. etc.

I agree with the sentiment: Copy-and-paste duplication sucks, and should be avoided wherever possible.

But honestly, if you can ALWAYS say that avoiding copy-and-paste at all costs is the right decision for your product, for your team, and for yourself... I don't know whether to envy you, or to fear you.

Re:

[Belial6]

Here here! I know, I just copied and pasted an entire application's code. I then did modifications to the code. Why? Because even though I would have loved to have spent the next 6 month rewriting the application from scratch, a different department needed 98% identical functionality; and my boss was not going to authorize 1040 hours of work to maintain best case scenario coding practices when we could roll the copied code out in 24 hours of work. And to keep from doing a copy and paste, we would have

Re:

[Tanuki64]

On the plus side, it really is great working for a manager that actually does understand the ramifications of writing bad code for political reasons, and that can be trusted when he makes that decision. This is particularly good when he also understands that spending extra time now to write good reusable code will save time and money later, and is willing to make sure that the time is made available when the corporate politics allows it.

Do you really know such a manager? My experience with manager is tha

Re:

[Belial6]

Surprisingly enough, Yes, I do. He pads most projects with most projects with a little bit of extra time specifically for the purpose of writing good reusable code. When he asks for bad code, it truly seems to be only when we are looking at a huge cost savings, like the 1040 hours vs 24 hours, or for political reasons, really important software must be is faced with the option of, write it faster than good coding practices will allow, or it doesn't get written at all.

His trust in us has really paid off

Re:

[Tanuki64]

In that case I really envy you. Of course, my initial post was very much black and white. If you really can trust your project manager, and you really know the rules, then you also know when you can bend them.

However, he majority of project managers is incompetent. 90% of those I know got their position because they were loud mouthed, brown nosing morons, which where unable to write reliable code or perform well with whatever job the initially had. One department is really glad to get rid of them, the

Re:

[Tanuki64]

always seems to me, at best, a sign of an unexperienced coder. Either that, or an extremely lucky one.

You forgot the third possibility: An experienced coder, who was responsible for such a design flaw himself and was seriously bitten by it.

Unless we're talking of brand-new projects of a small size, I find it really hard to believe that comminiting to 0% copy-and-paste-code is a practical proposition.

On the contrary, I'd say in a small project you can get away with code duplication. And there is nothin

Re:

[Bodrius]

It seems you missed the point of the comment, so I'll just cut short to the argument we seem to agree on.
Which incidentally, was the whole point of the comment.

But honestly, if you can ALWAYS say that avoiding copy-and-paste at all costs is the right decision for your product, for your team, and for yourself... I don't know whether to envy you, or to fear you.

Code duplication has risks. You learn about the risks in almost each book about software engineering. Is it always the right decision to avoid it

Re:

[Tanuki64]

That was the point: no developer can really claim X is ALWAYS the right/wrong decision.
.
.
.
There is no such certainty in real world software engineering.

I don't think I misunderstood you. But I think I made it not clear enough that I disagree. If you are a developer with no managerial functions, there is one decision, which is as close a ALWAYS right as a decision can come: Design as clean as you can. No shortcuts ever. If you think your code needs a refactoring, do it. If it means missing a schedule

Re:

[Locutus]

it didn't sound like copy-paste to me. The first bug( found Dec 2004 ) was a failure to validate one of the parameters of an Animated Mouse function and the invalid value of "0" could be exploited. What I read in the recent story is that the current bug is due to another parameter of the same function going unchecked and/or accepting invalid data. They used the term "header" in the story but I think they must have ment parameter since that was publicly stated as the problem with the 2004 instance of the bug

Re:

[Tanuki64]

it didn't sound like copy-paste to me. The first bug( found Dec 2004 ) was a failure to validate one of the parameters of an Animated Mouse function and the invalid value of "0" could be exploited. What I read in the recent story is that the current bug is due to another parameter of the same function going unchecked and/or accepting invalid data.

How many parameters does this function have? That's to say how many bugs we can expect in this one function in the future?

Re:

[Locutus]

LoL

FYI, another /.er found a link to a step-by-step on this and it appears it is not exactly another parameter of the same function. I'll try to summarize, The ANI file is made up of a bunch of similar blocks such as many icons to make up the animation. The first/2004 bug didn't check for the size of these blocks being valid and the fix put a check in the first place these blocks are accessed and checks only the first block for correct size. The "new" bug is really the same thing but the 2nd block is exploi

Re:

[mypalmike]

If I have the code...

foo( bar );

... in more than one place within a function, I have copy-and-paste code. One-liners like this used in multiple places can cause bugs to get fixed in one place and not another. Now, are you telling me that I should wrap the foo function call in another function? Then I'd end up with...

fooWrapper(bar);

... in multiple places instead. Tell me how to refactor this copy-and-paste code so that "copy-and-paste" code is gone.

Real engineering sucks, doesn't it?

Re:

[bendodge]

Why do people buy products from these people again?

Because (overall) it just works, and has incredibly good hardware support.

It also is aesthetically pleasing. While there has been lots of effort put into making things like KDE look good, the individual shiny buttons and bars don't agree with a universal theme. Windows development is centralized, so the everything fits together visually.

I personally prefer the look of Windows XP to any OS (note I haven't used Vista), just because the gradients, buttons, and esp the fonts all fit together smoothly.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[shutdown -p now]

It also is aesthetically pleasing. While there has been lots of effort put into making things like KDE look good, the individual shiny buttons and bars don't agree with a universal theme. Windows development is centralized, so the everything fits together visually. I personally prefer the look of Windows XP to any OS (note I haven't used Vista), just because the gradients, buttons, and esp the fonts all fit together smoothly.

Sadly, the uniform look&feel of Windows has been slowly becoming worse in rec

Re:

[ceroklis]

Microsoft has access to the source code, the "experts" don't. They have simply no basis for these claims. Their conclusions are based on their ideas on how code is supposed to be written, not on knowledge of the actual structure of the code in question. Ever tried to debug old spaghetti code that was written ten years ago, never properly documented and that nobody in the organization understand anymore? Maybe it is more complicated than they think. That's why I wouldn't trust them more than Microsoft on the

Re:

[afidel]

Uh, it IS the exact same bug, you put too much data into a certain data structure type within the ani type files and you hit a buffer overflow. The only change with this iteration is that they patched how the code is called to handle that structure for the first occourance of the structure in the file, in otherwords they applied a bandaid by not allowing the corrupt data structure to get to the vulnerable code, but they failed to realize that if you put a second occourance of the data structure in the file

Re:

[Locutus]

I guess that is why Bill Gates has been running around the world saying that Windows Vista is "the most secure operating system available"... Sorry but they have been saying their shit doesn't stink in regards to security and reliability since the W2K release.

And that bit about the security experts not knowing what they are talking about because they don't have the source code, well they have the binary code and from that they can generate assembly code. With that, it's pretty easy to see if an unchecked pa

Re:

[Una Nahmed]

"As an aside, I am tired of these endless criticisms of windows. It was never marketed as an über-secure or über-robust system. So stop complaining and understand that it is a relatively inexpensive and user-friendly OS" Heh? You're kidding, right? Windows has ALWAYS been marketed as robust and secure--ESPECIALLY Vista. You can't possibly listen to any MS exec or marketer all the way up to Bill Gates talk about it without hearing repeatedly and almost desperately about how this is the most secure

Re:

[midnighttoadstool]

Microsoft have always put a high priority on backwards compatability, as do almost all of us. So you have to be pretty naive to think that "all new code" is going to mean a total re-write. After all they only need to stick in a few lines of "all new code" to hoodwink the likes of yourself.

Further if you have any idea of what is involved in backwards compatability (ref: Raymond Chen's blog) then you'll understand how reluctant Microsoft may be to change even such a small thing as that.

It's a nice rant you

Re:

[UnknowingFool]

This sounds familiar. One of my friends who once worked for MS showed me a bug in the screen saver. It was first identified in NT4. It was fixed in Win2K. But when XP came out, the bug was back. It wasn't one that would allow for attack; it was just one of those annoying ones, but it was astonishing that it still existed.

Re:

[Foolhardy]

There is a certain class of security vulnerability where malformed data passed to a library in the same process can cause code execution. From the library's point of view, since the library is in the same process as the caller, they're both at the same trust level, so calling a function does not cross a security boundary and no secure validity checking need be performed. The worst that could happen is that an app causes a library to execute code in its own process, a non-issue. The only parties involved are

Re:

[Antique Geekmeister]

The new stuff is the extensive DRM, especially including the so-called "Trusted Computing" tools, and the remains of the attempts in insert WinFS, which turned out to be pretty unusable and wound up thrown out.

Here's a plausible version of what happened

[Beryllium Sphere(tm)]

http://www.securiteam.com/windowsntfocus/5XP0515L5 W.html [securiteam.com]

nothing to see here... ssdd... remember winnuke?

[tele2win]

remember winnuke? same shyte, different day. http://www.unixgeeks.org/security/newbie/security/ winnuke.html [unixgeeks.org]

Out of interest....

[Anonymous Coward]

How many other people clicked on the "teaser of nude Britney Spears pictures" link in the Slashdot story and were bitterly disappointed?

Re:Out of interest....

[mattpointblank]

You mean the link does go to nude pictures?

Re:Out of interest....

[Rakshasa Taisab]

Do you mean; disappointed because they saw the pictures, or because they didn't?

Re:

[ryanov]

Sophos has certainly explained the vulnerability [sophos.com] very well, however. Kudos to Sophos!

Re:

[failedlogic]

Based on the way she is looking right now, if they've updated the picutres recently, I've no interest in clicking on the link. ;)

Fitting

[CODiNE]

Denial about an unfixed security problem? Time for the "insecurity" tag.

Meh

[stratjakt]

I wonder how many coders actually read slashdot.

I can see two seperate bugs causing the same result, I've dealt with it tons of times.

"the bug is back, you didn't fix it"

and I say, "no this one is different"

Meh

Who really fucking cares?

Re:

[Antique Geekmeister]

I do. When a known bug surfaces that affects a lot of people, it's basic security practice to check for other projects that use this chunk of code. In a well-built source control system, it's pretty obvious. With programmers who don't know or try to read how things work doing cut&paste programming, it's uncontrolled and unmanageable.

Guess what company famous for stealing software, lying about its security, famous for hiding "features" that deliberately break interoperability doesn't want to expose its c

useless

[digital bath]

this is useless without pictures

Re:

[account_deleted]

Comment removed based on user account deletion

It would be nice to have real information on this

[frovingslosh]

Does anyone have a link to any information that actually explains how thi exploit works? I've been reading about it for over a week, but can't find any susbtantial information Just warning that it can hit you from web page content or html e-mail reading. But what that has to do with animated cursors is not at all clear. I've never yet seen an html page that could change my user selected cursor, so how is it that this exploit actually affects the user's computer?

Re:

[jwgoerlich]

Does anyone have a link to any information that actually explains how thi exploit works?

Here you go: Analysis of ANI "anih" Header Stack Overflow Vulnerability [mnin.org]

Basically, an animated cursor is just one way to exploit a problem with Windows' GDI (graphical device interface) implementation. Windows runs this as part of the user's session and it is, in part, in kernel mode. Just like Jon Ellch and David Maynor showed with the Apple wireless driver exploit, if you can get access to the kernel, you can do pret

Ban C

[bill_mcgonigle]

"DUR!!! A FILE COULD NEVER BE MALFORMED SO THIS CODE CAN'T LOSE!!!"

You've rather eloquently stated the reason why average programmers shouldn't be allowed to code security-sensitive code in the C family of languages.

Everybody gets this wrong. The argument is always for performance. Well, a Windows machines overridden by spyware is just as slow as if the whole userland were written in c#, so I'm not buying that one. "Not even Microsoft" can get security right in C++. The quotes are there not because I e

Re:

[frovingslosh]

Thanks. This was very helpful, and also makes it very clear that this is much more serous than something that just deals with animated cursors. In fact, I'm at a loss to understand why the community is attaching the aminated cursor reference to it.

Re:

[AaronLawrence]

Interesting, thanks. Or not that interesting - just another buffer overflow exploit in code that doesn't validate it's input fully.

Observations: If DEP/the NX/XD bit was actually turned on on Vista or XP by default, this would have no effect.
Bit dissappointing that Firefox falls for this too. I REALLY DON'T WANT Firefox to support animated cursors....

Re:

[jwgoerlich]

If DEP/the NX/XD bit was actually turned on on Vista or XP by default, this would have no effect.

Would it? I am not so sure. DEP protects against execution from the stack. Instead, this exploit uses jmp (jump) to make calls against user32.dll. This is a different animal than what DEP is designed to catch.

J Wolfgang Goerlich

Re:

[mgiuca]

Basically, an animated cursor is just one way to exploit a problem with Windows' GDI (graphical device interface) implementation. Windows runs this as part of the user's session and it is, in part, in kernel mode.

This is why I've been saying this problem has NOT been caused by a mere "bug in the code". Bugs happen to everyone, and it's not about blaming people. It's an accident.

But this issue has not been caused by a mere bug. It's been caused by a catastrophic design flaw in Windows itself (which I persona

Re:

[typicallyterrific]

Not quite.

It kind of depends on your definition of "taking control of your computer". If you mean that exploiting a cursor library alone won't let you gain root, that is true as libraries don't run with that sort of privilege. However, if you were to define "control of your computer" as being able to delete all your data, set up a spambox or an irc/web/ftp server on your machine and so on, well that's quite possible, given that these libraries run with user privileges.

The problem is that, in practical terms

Re:

[mgiuca]

Do you mean that an exploit to give full user powers is not practically very different from an exploit to give full root powers? Well yes and no.

On my machine (I am the only user), you're right. Anything getting full user powers could run servers, access/modify/delete all my documents and so on. To fix it, yeah I'd have to wipe my user and start again. But I'd only have to wipe my user. I wouldn't have to reinstall all my apps and reconfigure the machine.

And your second point is that they could find an expl

Re:

[typicallyterrific]

On my machine (I am the only user), you're right. Anything getting full user powers could run servers, access/modify/delete all my documents and so on. To fix it, yeah I'd have to wipe my user and start again. But I'd only have to wipe my user. I wouldn't have to reinstall all my apps and reconfigure the machine.

I was thinking specifically about rootkits [wikipedia.org]. My point is that while in theory that's how it works (normal users don't have root priviliges, end of story) the reality of things is a bit different. In

Re:

[mgiuca]

Does this also mean if you can't trust your own users, they could be using root as well?

I understand that any one hole in a system means people can flow through. But I thought the point was that the ENTIRE system was designed from the ground up with this in mind, so that there are literally very few places to poke holes in (and those places are highly checked for security).

Re:

[typicallyterrific]

Hm. I'd prefer "evolved" over "designed". My understanding is that what we currently know as Unix has come about through normal trial and error over the past thirty years.

As far as I know, as I'm no researcher in the field, security is a bit of a state of mind. It's mostly a measurement of how much time and effort/money you're willing to invest in it; you can code for it in your specs, but it'll depend on how much time you put into debugging it (which, in turn, has diminuishing returns as time wears on: you

Re:

[mgiuca]

This is all sounding good (you seem to be quite an expert). So I'll just say: yes - but the system architecture does have a lot to do with the security model. It doesn't mean it's perfect, but IMHO, the Unix security model is far superior as an architecture than the Windows one, and that says something.

Re:

[cnettel]

The analysis you link to does not mention the kernel. It's true that some GDI is in kernel land, but a surprising amount of resource access, like this, is not. The exploit, in its current form, is firmly in the userland part, and constrained by the security tokens of the thread and process. That's often bad enough, though.

Re:

[Locutus]

nice work finding that, thanks.

You know, if Microsoft can pay a dozen people to make sure a reporter writes THEIR story and not his/her own, you'd think they'd be paying developers enough and putting enough "process" in place in order to make the product better. But here in 2007, it sure looks like they still suck at software engineering.

LoB

ASUS website hacked

[sponga]

thats right the website was hacked the other day and the .ANI exploit was stuck in there
http://www.infoworld.com/article/07/04/06/HNasuste ksitehack_1.html [infoworld.com]

Although I never visited the site because it was slow to begin with and had the worst download rates.

Netcraft says for the asus.com website that it was running Windows Server 2003 but other foregin ASUS sites were running a mix of Linux/BSD.

Re:

[Phil Urich]

Netcraft says for the asus.com website that it was running Windows Server 2003 but other foregin ASUS sites were running a mix of Linux/BSD.

Aha!

I had always wondered why the non-US ASUS sites were so good but the "actual" .com was so buggy and annoying.

Re:

[Locutus]

I wonder how many of those 700 hacked web servers are Microsoft Windows based?

Ask anybody about what OS was the base of an attack which makes the press and you get no answer...
I can only imagine that someone is very persuasive at keeping this quite since there is just too much consistency in how these requests are handled.

Atleast now we know ASUS was/is Microsoft Windows.

LoB

Re:

[Locutus]

found that one site, dynamoo.com is Linux/Apache based.

LoB

Cut it out

[symbolset]

Steve, leave the slashdot editors alone. If you need to blow off steam, go throw a chair or something.