Sunday, April 1, 2007

Windows .ANI File - Zero Day Exploit

There's a new exploit of Windows without a patch (yet). The vulnerability is in the .ani file extension used for animated cursors in Windows. The exploit allows attackers to run code and potentially take ownership of your computer.

Most antivirus should have already been updated with this type of attack therefore, do update your antivirus pattern and wait until MS releases a new patch for this vulnerability. The current status from MS is to do a workaround, not the best solution but it should mitigate the attack. Vista users using IE7 are protected becauses of the "Protected Mode" feature in IE.

Exploit info here.

Below are the excerpts from MS's security advisory for the workaround on this issue:

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

  • Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector.Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.
  • Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
    Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability.
  • Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
    • The changes are applied to the preview pane and to open messages.
    • Pictures become attachments so that they are not lost.
    • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
Post a Comment