Here's the scoop on the Windows animated cursor bug
- 03 April, 2007 11:16
When a major vulnerability affecting every flavor of Windows -- including Vista -- breaks, it only seems like chaos ensues. Okay, so it is chaos. Witness the so-far short-lived flaw in Windows' animated cursors (ANI), which picked up enough steam over the weekend to power a turbine or two. IT staff, small business users and consumers have been trying to figure out which way is up, and whether this is a Big Deal or just another security industry siren blaring in the background. This FAQ on the flaw, explains what it is, which machines are at risk and what you can do to protect yourself.
What's the problem, anyway? A critical flaw in User32.dll, specifically in the code of that Windows .dll that loads animated cursor (.ani) files, which are used to trick out the cursor, changing it from a simple pointer to a short animation. Microsoft, for example, sometimes includes animated cursors in its optional visual theme downloads. Exploits targeting the bug can use ANI files to run malicious code on a victimized PC, infecting it with spyware, stealing identity information or adding it to a botnet of hijacked systems.
When did this pop up? Microsoft says it was first notified in late December 2006 by researchers at Determina, but others -- including Marc Maiffret of eEye Digital Security -- point out that the vulnerability is very similar to one patched in January 2005 that also affected cursor files. It wasn't until last week -- March 28, to be exact -- that attacks using the exploit were spotted in the wild (by McAfee) and reported to Microsoft's Security Response Center (MSRC).
What versions of Windows are vulnerable? This is the cropper, isn't it? One of the things that makes the ANI bug so dangerous is that it affects every still-supported edition of Windows, including Windows 2000 SP4, XP SP2, Server 2003 (up to SP2), and even Vista. Both 32- and 64-bit versions are at risk.
What about Linux or Mac systems? Are they at risk, too? Hahahahahaha. Sorry. Nope.
Are hackers using the vulnerability? Funny. China's Internet Security Response Team (CISRT) warned over the weekend that a worm exploiting ANI was in the wild. Symantec tagged the worm as Fubalca, while other security companies -- no surprise here -- applied different monikers. McAfee, for instance, calls it Fujacks.aa, while Computer Associates labeled it MSA-935423!exploit. Nothing like consistency. Other reports have cited one or more spam runs that include links to malicious sites hosting an ANI exploit, while the newest information from Websense Inc. is that there are at minimum 150 Web sites circulating the attack. So the short answer, unfortunately, is yes.
Page BreakWhat attack vectors are hackers using? So far, it's the usual panoply of suspects, including spammed e-mails with links to malicious sites and malicious and compromised sites that have tucked malformed ANI files on their pages. Websense, for example, says that some of the malicious domains are identical to ones used in the early February compromise of the Dolphin Stadium site just before Super Bowl XLI. The stadium's Web site served up a host of malware to visitors. Up to this point, however, there is one glimmer of hope: active exploits are directed against Windows XP SP2 only.
What else can they use? You name it, they'll use it. Specifically, several of Microsoft's e-mail clients, including the for-free Outlook Express and Windows Mail (in Vista) are vulnerable to attacks that package an ANI file in an HTML message. Users who only preview such messages can be infected, says the SANS Institute.
Are there patches for this? Yes and no. Those that are out now don't come with the Microsoft seal of approval. Two patches have been issued since last week. First to the plate was eEye, which on Friday released a fix it said blocked the loading of any ANI file from outside the local system. The Zeroday Emergency Response Team (ZERT), a loose affiliation of security researchers, issued its own patch Saturday.
What about Microsoft? Microsoft, as is its practice, took a dim view of the third-party patches from eEye and ZERT. "While we appreciate that these are provided to help protect customers, we do recommend that customers only apply security updates and mitigations provided by the original software vendor," said MSRC program manager Christopher Budd on the team's blog. "This is because as the maker of the software, we can give our security updates and guidance thorough testing and evaluation for quality and application compatibility purposes. We're not able to provide similar testing for independent third party security updates or mitigations." That said, after the usual comments last week -- we're investigating, attacks are limited -- the MSRC on Sunday said it had a patch wrapped up, more or less, and would issue an official fix on Tuesday, a week earlier than the normal second-Tuesday-of-the-month security update.
Why can't I just block ANI files? Nice try. But exploits have been spotted that disguise the malicious ANI files as JPG image files. This hacker tactic is common; the massive WMF attacks in late 2005 and early 2006 also camouflaged malformed Windows Metafile images with other extensions.
Are there any other steps I can take while waiting for Microsoft's patch? If you're uncomfortable with applying a third-party patch, you might want to switch to an alternate browser, say Firefox 2.0, temporarily. Current exploits are targeting Microsoft's Internet Explorer only, and several vendors, including Symantec, have gone on record as saying Firefox is not vulnerable. That may change, however, since there isn't anything in Firefox that expressly prevents an attack. On the e-mail front, both Microsoft and SANS confirm that Outlook 2007 is invulnerable to attacks. Outside of those software choices, other things to do include updating anti-virus software (most vendors now detect the known exploits), avoiding untrusted Web sites (you know what we're talking about), and not clicking on links in unsolicited e-mail messages. You know, the usual drill for avoiding an infection.