Printed from www.pcpro.co.uk
Windows under attack from zero-day exploit
Posted on 30 Mar 2007 at 12:09
Microsoft has alerted its users to attacks targetting a flaw in the way Windows handles .ani files, the format used to create animated cursors.
The company has already posted a security advisory and has updated its OneCare security software for consumers to protect against the attacks.
The advisory says all of Microsoft's supported versions of Windows for the desktop are affected, from Windows 2000 SP4 to Vista as well as versions of Windows Server 2003.
The affected software performs 'insufficient format validation prior to rendering cursors, animated cursors, and icons'. An attacker can create a web page or embedded email and by persuading a target to view that content could install malicious code on the system.
McAfee says Vista is only vulnerable to a denial of service attack. Microsoft's own investigation has discovered that users of Outlook 2007 are protected against the attack, as are users of Windows Mail on Vista as long as users do not forward or reply to the attacker's email. Outlook Express users are vulnerable, even if they are only viewing mail in text.
Microsoft desribes the attacks as 'targeted and not widespread,' although McAfee has discovered many compromised servers hosting the exploit code for this .ani vulnerability. 'Googling the referenced script yields 113,000 results. It's likely that most of those sites were compromised through SQL injection vulnerabilities. Of course many of these sites have been cleaned up, malicious references removed, but not all,' it says.
While OneCare users are protected, users of other security software will be updated as new attacks are discovered. Some users may already be protected. According to F-Secure, 'A sample that is possibly related to this has been obtained and is detected as Exploit:W32/Ani.C since update 2007-03-29_09. This sample downloads a copy of a Trojan that has already been detected as Trojan-Downloader.Win32.Small.ELA.'
Symantec too says its users remain protected. 'So far, Security Response has received only a handful of submissions of the exploit. Currently, all samples have been detected as either Downloader or Trojan.Anicmoo. The submitted files are generally .ani files from malicious Web sites that have been renamed with a .jpg extension,' it says.
Microsoft suggests reading email only in plain text, ensuring firewall and security software is up to date, keep Windows updated and treat all file transfers with suspicion.
Microsoft says it will be necessary to issue a security update, although it is not yet clear whether this will be within the normal monthly parameters or an out of cycle release.
Author: Matt Whipp
advertisement
- Why Britain's watchdogs have fewer teeth than goldfish
- Tabbed documents: how to make Office 2010 great
- Outlook 2010 People Pane – does it spell death to Xobni
- Microsoft Outlook 2010 screenshots
- Co-Authoring in Word 2010 and SharePoint Foundation 2010
- Microsoft Outlook 2010 screenshots: Backstage view
- Flash 10.1: Developing for Desktop and Device
- Microsoft Office 2010 screenshots: Recover unsaved items
- Microsoft Word 2010 screenshots: Text Effects
- Microsoft Word 2010: inserting screenshots
- Getting to grips with Microsoft's IT Health Environment Scanner
- Virtualise your servers
- The changing face of travel gadgets
- Build your own distributed file system
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
advertisement
