Friday, March 30, 2007

New “Zero Day” Vulnerability in Windows Animated Cursor Handling

A new zero day vulnerability has been discovered in the way Microsoft Windows handles animated cursor files (.ANI files). The ANI file format is based on Microsoft's RIFF file format. There have been reports of specially crafted ANI files being hosted on websites that exploit this vulnerability. When an unsuspecting user visits such a "rigged" website, using any of the popular browser applications such as IE7 or Mozilla Firefox, the vulnerable Window's code will be invoked in order to parse/render the specially crafted ANI file which in turn will invoke the exploit code. Resulting this, malware will be silently downloaded and launched on the victim machine (drive-by downloads). Remote code will be executed with the privileges of the logged on user.

The malicious ANI files can also be embedded within specially crafted e-mails or attachments within e-mails. The exploit works independent of file extensions making it useless to simply block .ANI files on e-mail gateways. Simply configuring Outlook or Outlook Express to read mail in plain text will still parse the ANI file and hit the exploit. Simply "viewing" such a malicious ANI file using Window's Explorer will allow the exploit code to be triggered.

Microsoft has released a security advisory regarding this: http://www.microsoft.com/technet/security/advisory/935423.mspx

A CVE-2007-0038 has been assigned to this vulnerability.

It seems like the vulnerability is already exploited in the wild:
http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

Digg This | Slashdot This | Add to del.icio.us