MS-ISAC ADVISORY NUMBER:
2007-008 Updated

DATE(S) ISSUED:
3/29/2007
03/30/2007 - Updated

SUBJECT:
New Vulnerability in Windows Animated Cursor Handling Could Allow Remote Code Execution

OVERVIEW:
A new vulnerability has been discovered in Microsoft Windows in the way animated cursor files are processed. This vulnerability can be exploited if a user visits a malicious webpage that exploits the vulnerability, views a malicious email message in an HTML format, or opens a malicious email attachment. Successful exploitation of this vulnerability could lead to complete control of the affected system.

Please note that there is proof-of-concept code available publicly on the Internet. This vulnerability is currently being exploited.

MARCH 30 UPDATED INFORMATION:

This vulnerability can also be exploited if a user merely views an email within the preview pane of Microsoft Outlook.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 SP4
  • Microsoft Windows XP SP2
  • Microsoft Windows XP 64-bit Version 2003 (Itanium)
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 SP1
  • Microsoft Windows Server 2003 SP1 for Itanium-based systems
  • Microsoft Windows Server 2003 for Itanium-based systems
  • Microsoft Windows Vista

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:

A new vulnerability has been discovered in the way Microsoft Windows processes the animated cursor (.ani) files which could allow a remote attacker to run and execute commands on the local system. This vulnerability is due to improper format validation before processing cursors, animated cursors, and icon files. There is proof-of-concept code available publicly on the Internet. This vulnerability is currently being exploited.

After successful exploitation, an attacker could take complete control of a vulnerable system, and perform actions such as install programs, view, change, and delete data, and create user accounts.

It should be noted that users running Internet Explorer 7 on Windows Vista are not affected by this vulnerability.

MARCH 30 UPDATED DESCRIPTION:

Microsoft discovered after additional testing that this vulnerability may be exploited if users previews or replies or forwards malicious emails in a plain text format when using the Outlook Express or Vista email clients.

It should be noted that users running Outlook 2007 are not affected by this vulnerability.

The following list of known domain names and IP addresses that were/are associated with this vulnerability was provided from the Symantec Deepsight Threat Management System. We recommend that you black-hole these domain names and IP addresses and log any attempt to resolve these names since it may be an indication of possible infection.

 

220.71.76. 189
wsfgfdgrtyhgfd. net
85.255.113. 4
uniq-soft. com
fdghewrtewrtyrew. biz
newasp.com. cn
33577. cn
ym52099.512j . com
1.520sb. cn
www.h3210. com
koreacms.co. kr
i5460. net

 

ORIGINAL RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply all appropriate patches to vulnerable systems as soon as they become available, after appropriate testing.
  • Filter (block) all incoming Windows animated cursor files (.ani) at email gateways and proxy servers.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Only use a Web Browser as a non-privileged user (one without administrative privilege) to diminish the effects of a successful attack.
  • Do not open email attachments from un-trusted sources.
  • Ensure that all anti-virus software is up to date with the latest signatures.

MARCH 30 UPDATED RECOMMENDATIONS:

  • Read email messages in plain text format for email clients Outlook 2002 or later.
  • Disable the preview pane in Outlook, Outlook Express, and Windows Mail.
  • Black-hole the domain names noted above and log any attempt to resolve these names since it may be an indication of a possible infection. DO NOT VISIST THESE SITES!

REFERENCES:

Microsoft:
 http://www.microsoft.com/technet/security/advisory/935423.mspx(New Window)

Security Focus:
 http://www.securityfocus.com/bid/23194(New Window)

SANS:
 http://isc.incidents.org/(New Window)

McAfee:
 http://www.avertlabs.com/research/blog/?p=230(New Window)

CNET:
 http://news.com.com/Cursor+hole+puts+Windows+PCs+at+risk/2100-1002_3-6171727.html?tag=nefd.top(New Window)

MARCH 30 UPDATED REFERENCES:

US CERT:
 http://www.kb.cert.org/vuls/id/191609(External Link)

FrSIRT:
 http://www.frsirt.com/english/advisories/2007/1151(External Link)

Symantec:
 http://www.symantec.com/enterprise/security_response/vulnerability.jsp?bid=23194(External Link)

eEye:
 http://research.eeye.com/html/alerts/zeroday/20070328.html(External Link)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.