Microsoft Patches Animated Cursor Flaw in Windows
Published: April 4, 2007
by Alex Woodie
Microsoft yesterday issued a rare "out of cycle" patch that fixes the serious Animated Cursor vulnerability, as well as six other flaws in Windows. Attack code for the Animated Cursor flaw, which affects all current versions of Windows, including Vista, has been distributed widely across the Internet, leading to the formation of a chain of malicious Web sites and spam e-mails that, if visited, can turn full control of your PC over to attackers.
You may have noticed that your mouse's cursor looks different when you visit certain Web pages. This is the result of controls, called .ANI files, that Microsoft has included in Windows that enables programmers to customize their cursors with animations or icons, such as an hourglass or a trailing cursor. However, unbeknownst to most Windows users, Microsoft's implementation of the .ANI controls was flawed with a stack buffer overflow vulnerability, and somebody discovered how to exploit it to gain control of affected systems.
Reports of attacks first started rolling in last Wednesday. Software security firm McAfee was the first to spot the attacks, which were being executed through a network of malicious Web sites and maliciously crafted HTML e-mails that gave hackers full control over systems.
By Thursday, Microsoft had seen enough. On that day, the company first posted a security advisory confirming that it was aware of the problem and that it was working hard to develop and test a patch. While Microsoft had been aware of the flaw since December, the attacks spurred the company to kick it into high gear and finish the patch, which it did yesterday as part of Microsoft Security Bulletin MS07-017--a week before the next regularly scheduled Patch Tuesday.
It's unclear how many systems were compromised through the Animated Cursor flaw. Microsoft, which typically downplays security problems, says it was aware only of "very limited" attacks utilizing the vulnerability. By the accounts of others, however, the Animated Cursor flaw was a pretty big deal, and exemplified the changing nature of the security game.
Sensors from several organizations' intrusion prevention systems (IPS) indicated attacks were initiated from groups in the U.S., Brazil, China, and Eastern Europe. Those factions likely paid to obtain exploit code for the Animated Cursor, which they used to install a range of malicious software, including adware and keylogger software used to steal identity-related information, according to Amol Sarwate, manager of Qualys' Vulnerability Research Lab.
In the old days, the hackers who discovered vulnerabilities would write viruses or other malware that exploited that vulnerability, Sarwate says. "Now it's a black market. You don't exploit it. You sell it to people who want to spam you or install things on your computer," he says.
The Animated Cursor Flaw also drew out another nemesis of Microsoft: the Zeroday Emergency Response Team, which on Monday released a patch that addressed the vulnerability. However, ZERT's influence was not expected to be long-lasted, in light of Microsoft Security Bulletin MS07-017.
Microsoft Security Bulletin MS07-017 actually fixes seven problems. Besides the Animated Cursor Flaw, other flaws fixed with this patch include the GDI Local Elevation of Privilege vulnerability, the WMF Denial of Service vulnerability, the EMF Elevation of Privilege vulnerability, the GDI Invalid Windows Size Elevation of Privilege vulnerability, the GDI Incorrect Parameter Elevation of Privilege vulnerability, and the Font Rasterizer Local Elevation of Privilege vulnerability. Of these flaws, the Animated Cursor Flaw Remote Code Execution vulnerability is by far the most serious. Microsoft says it has found attack code for the GDI Local Elevation of Privilege vulnerability on the Internet, although no attacks have been reported.
The flaws affect all current versions of Windows, including Windows 2000 Service Pack 4 (SP4, Windows XP SP2, Windows XP Professional X64 Edition, Windows Server 2003 and its SP1 and SP2 variants, Windows Server 2003 for Itanium-based Systems and its SP1 and SP2 variants, Windows Server 2003 X64 Edition and its SP2 variant, and Windows Vista and the X64 Edition of Vista.
The Animated Cursor Flaw is the first real vulnerability to hit Windows Vista since it was released to businesses four months ago, and released to consumers just over two months ago. However, considering that the Animated Cursor Flaw gets to Vista by exploiting legacy Windows code, don't be surprised to find additional problems in Vista related to legacy baggage, Sarwate says.
"This opens doors to hackers," he says. "It says if old pieces were used in Vista, to exploit this vulnerability, there has to be some other code from old operating systems in Vista, which opens doors to other vulnerabilities and other ways for attackers to try out other things. It definitely gives incentives for hackers to check out older vulnerabilities from older products" to see if they have an effect on Vista.
Despite the large, out-of-cycle patch issued yesterday, Microsoft is on track to deliver another round of patches next week as part of its regularly scheduled Patch Tuesday security lifecycle. Microsoft skipped Patch Tuesday for March.
Microsoft Skips Patch Tuesday for March
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot