Over 2,000 sites now exploit .ani security flaw

More than 2,000 Web sites have been rigged to exploit the animated cursor security flaw in Microsoft's software

More than 2,000 unique Web sites have been rigged to exploit the animated cursor security flaw in Microsoft's software, according to security vendor Websense.

Those Web sites are either hosting exploit code or are redirecting Internet users to sites with bad code, Websense's blog reported Monday.

The number of Web sites engineered to exploit the problem has jumped considerably since the vulnerability was publicly disclosed by Microsoft on March 29. It will likely continue to rise until patches are applied across corporate and consumer PCs, said Ross Paul, senior product manager for Websense.

Hackers are hoping to catch some of the millions of unpatched machines.

"What we've seen is that exploits tend to be used as long as they are effective," Paul said.

Last week, Microsoft broke from its regular patching routine and issued an off-schedule fix due to the danger of the vulnerability, which occurs in the way Windows processes .ani or Animated Cursor files, which allow Web sites to replace the regular cursor with cartoonish alternatives.

The flaw affects nearly all versions of Microsoft's Windows OS and is the third zero-day flaw that Microsoft has patched out of schedule since January 2006.

Companies tend to patch their machines on fixed schedules and may not immediately apply a patch when it's released, Paul said. Home users may automatically receive the patch if they are using Windows XP Service Pack 2, but users of older Windows OSes will not.

That's especially dangerous since the .ani problem doesn't require user interaction for a machine to be infected, said Graham Cluley, senior technology consultant at Sophos. Merely viewing a Web site engineered to exploit the vulnerability with an unpatched machine can result in an infection.

As a result, security analysts are generally recommending to apply the patch, even though Microsoft said Friday they were fixing compatibility problems with some applications.

"We are recommending this is a patch you really need to install now," Cluley said.

Websense said that attackers from Eastern Europe and China appear to be at the heart of the efforts. Groups in the Asia-Pacific region and China are exploiting the vulnerability, mainly on machines located in Asia, in order to gain credentials for popular online games such as Lineage, Websense said.

A second group in Eastern Europe, which has been known to use other vulnernabilities in Microsoft's software to install malicious software on machines, "have also added the .ani attacks to their arsenal," Websense said. Those attacks are directed at servers and users in the U.S.

The motivation of the Eastern European group appears to be collecting banking details using form-grabbing software or keyloggers, Websense said. The group has also been known to try to use exploits to install bogus anti-spyware programs.

One technique used by the hackers is to find a vulnerable Web server and cause its viewers to be redirected to another Web site that will exploit their machine using the .ani problem, Paul said.

The hackers are also planting iframes -- hidden windows that can allow code such as JavaScript to run -- to activate an exploit. Paul predicts there may be more to come: "I don't think we've seen the last of this."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?