MS-ISAC ADVISORY NUMBER:
2007-008

DATE(S) ISSUED:
3/29/2007

SUBJECT:
New Vulnerability in Windows Animated Cursor Handling Could Allow Remote Code Execution

OVERVIEW:
A new vulnerability has been discovered in Microsoft Windows in the way animated cursor files are processed. This vulnerability can be exploited if a user visits a malicious webpage that exploits the vulnerability, views a malicious email message in an HTML format, or opens a malicious email attachment. Successful exploitation of this vulnerability could lead to complete control of the affected system.

Please note that there is proof-of-concept code available publicly on the Internet. This vulnerability is currently being exploited.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 SP4
  • Microsoft Windows XP SP2
  • Microsoft Windows XP 64-bit Version 2003 (Itanium)
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 SP1
  • Microsoft Windows Server 2003 SP1 for Itanium-based systems
  • Microsoft Windows Server 2003 for Itanium-based systems
  • Microsoft Windows Vista

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:

A new vulnerability has been discovered in the way Microsoft Windows processes the animated cursor (.ani) files which could allow a remote attacker to run and execute commands on the local system. This vulnerability is due to improper format validation before processing cursors, animated cursors, and icon files. There is proof-of-concept code available publicly on the Internet. This vulnerability is currently being exploited.

After successful exploitation, an attacker could take complete control of a vulnerable system, and perform actions such as install programs, view, change, and delete data, and create user accounts.

It should be noted that users running Internet Explorer 7 on Windows Vista are not affected by this vulnerability.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply all appropriate patches to vulnerable systems as soon as they become available, after appropriate testing.
  • Filter (block) all incoming Windows animated cursor files (.ani) at email gateways and proxy servers.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Only use a Web Browser as a non-privileged user (one without administrative privilege) to diminish the effects of a successful attack.
  • Do not open email attachments from un-trusted sources.
  • Ensure that all anti-virus software is up to date with the latest signatures.

REFERENCES:

Microsoft:
 http://www.microsoft.com/technet/security/advisory/935423.mspx(New Window)

Security Focus:
 http://www.securityfocus.com/bid/23194(New Window)

SANS:
 http://isc.incidents.org/(New Window)

McAfee:
 http://www.avertlabs.com/research/blog/?p=230(New Window)

CNET:
 http://news.com.com/Cursor+hole+puts+Windows+PCs+at+risk/2100-1002_3-6171727.html?tag=nefd.top(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.