Security Watch

Keeping Track of patches and hacks in the IT security world.

ANI Zero Day Takes New Turns to the Uber-Nasty

If you're reading this with Internet Explorer on a Windows machine, don't. The Windows animated cursor zero-day attack that was coming through on IE 6 and 7 running on fully patched Windows XP SP2 is now also hitting Windows 2000, Server 2003 and Vista. As F-Secure advises, better to use some other combination.

Proof-of-concept code for the attack was released after business hours on Friday, according to SANS.

Blocking .ani files won't help. SANS has picked up reports of the vulnerability being exploited in the wild with .ani files renamed as JPEGs.

Microsoft today posted security advisory 935423 about the exploit. Here's the full list of vulnerable systems:

"Microsoft Windows 2000 Service Pack 4Microsoft Windows XP Service Pack 2Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)Microsoft Windows XP Professional x64 EditionMicrosoft Windows Server 2003Microsoft Windows Server 2003 for Itanium-based SystemsMicrosoft Windows Server 2003 Service Pack 1Microsoft Windows Server 2003 with SP1 for Itanium-based SystemsMicrosoft Windows Server 2003 x64 EditionMicrosoft Windows Vista"
The company still hasn't provided a patch. The vulnerability is a candidate for inclusion in the CVE (Common Vulnerabilities and Exposures) list, having been assigned the label CVE-2007-0038 (previously also CVE-2007-1765).

Although there currently is no official patch, a SANS handler has posted instructions on detecting and filtering out .ani file exploitation attempts. eEye provided a temporary patch, although the company recommends updating to Microsoft's patch when it's out.

According to Microsoft, using IE 7 in Protection Mode will protect users from the exploit. SANS is reporting that anti-virus detection is picking up on the exploit, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files.

Microsoft has also confirmed that Outlook 2007 users are protected, as the tool uses Word to display HTML messages. The company reports that users of Windows Mail on Vista are protected if they don't forward or reply to infected e-mail. Outlook Express users won't be protected when reading e-mail in plaintext, given that this mode won't show embedded .ani files.

McAfee's Avert Labs, which discovered the exploit earlier this week, has posted a video of the attack in action against Vista in which the system enters an endless crash-restart loop. McAfee said that the video doesn't reflect how the attack would look in the real world, where it would come through a Web browser.

Trend Micro has a diagram of how the malware is working here.

Microsoft has updated its MSRC blog to answer questions about the ANI attack that have been rolling in since it started spreading. The answers to those questions, in a nutshell:

"Microsoft was first alerted to the Windows animated cursor vulnerability on Dec. 20 by a security researcher at Determina.McAfee first alerted Microsoft to the attack on March 28.Microsoft is feeding its partners information through the MSRA so they can update anti-virus and intrusion detection/protection systems.The company is working on a patch now and plan to release it as part of its next Patch Tuesday.Microsoft doesn't advise you use patches from a third party (like eEye), since Microsoft hasn't tested them."