Since its discovery in the wild, there are now hundreds of specially crafted websites that host malicious ANI files that exploit the “Windows Animated Cursor Handling” vulnerability. This vulnerability is exploitable on fully patched Windows XP SP2 and Vista running Microsoft’s Internet Explorer 7 or Mozilla FireFox 2. Simply visiting such a rigged website will render a victim machine infected. The malicious ANI files can also be embedded within specially crafted e-mails or attachments within e-mails. When such an attachment is viewed or opened with Outlook or Outlook Express the victim machine will be infected by a host of malware. Also, if a malicious ANI file is viewed using Explorer (file extension matters in this case), the exploit will be triggered.
Speaking of browsers, the damage is mitigated if Internet Explorer 7 is running in Protected Mode. This will still permit the malware to have read-only access to a user’s files, allowing it to steal and copy personal data, but will not be able to alter or delete any data. UAC (User Account Control) in Vista might only be able to prevent installation of persistent malware, but won’t prevent damage to user’s data unless the browser is running in Protected Mode. FireFox does not have Protected Mode under Vista, and if exploited using the ANI file vulnerability, will allow malicious code to execute with similar privileges as the logged on user allowing complete disk read and write. Do not get confused with “Safe Mode” in FireFox which is purely for debugging purposes.
The ANI exploit is preventable by enabling DEP (Data Execution Prevention) in Windows XP SP2 or Vista. When enforced with hardware NX/XD support, DEP will prevent the exploit from being triggered. Beginning with Windows XP Service pack 2 and Windows Server 2003 Service Pack 1, the NX features were implemented for the first time on x86 architectures. The NX bit (as termed by AMD which stands for No eXecute) or XD bit (as termed by Intel which stands for eXecute Disable), is a technology used in CPUs to separate areas of memory for storage of processor instructions (i.e. code) and for storage of data. The section of memory designated with the NX attribute indicates it to be used for storing data. Hence, even if processor instructions reside in such a section of memory, they cannot be executed. This prevents malicious programs from executing their own code which they might have inserted into another program’s data storage area. This is precisely what the ANI exploit does, and DEP (OS feature) combined with NX/XD (CPU feature) can prevent this from happening.
But Microsoft ships most of its Window’s operating systems with DEP turned off by default. It is on the user to turn DEP “on” for all applications. This might render a few applications not functioning properly, but I believe this is a price well worth the bargain. This should also teach application developers to adhere to safe programming practices.
Microsoft will be releasing an out-of-cycle patch for this vulnerability today.