Cursor flaw exposes Windows to malicious code threat
Flaw exposed, with no fix available, whereby malicious code can be installed under the guise of an animated cursor.
Multiple versions of Windows are at risk from a recently discovered security hole, whereby malicious code can find its way onto systems via cursor and icon customisation options.
The advisory says all of Microsoft's supported versions of Windows for the desktop are affected, from Windows 2000 SP4 to Vista as well as versions of Windows Server 2003.
The affected software performs 'insufficient format validation prior to rendering cursors, animated cursors, and icons'. An attacker can create a web page or embedded email and by persuading a target to view that content could install malicious code on the system.
McAfee says Vista is only vulnerable to a denial of service attack. Microsoft's own investigation has discovered that users of Outlook 2007 are protected against the attack, as are users of Windows Mail on Vista as long as users do not forward or reply to the attacker's email. Outlook Express users are vulnerable, even if they are only viewing mail in text.
Microsoft describes the attacks as 'targeted and not widespread,' although McAfee has discovered many compromised servers hosting the exploit code for this .ani vulnerability. 'Googling the referenced script yields 113,000 results. It's likely that most of those sites were compromised through SQL injection vulnerabilities. Of course many of these sites have been cleaned up, malicious references removed, but not all,' it says.
While OneCare users are protected, users of other security software will be updated as new attacks are discovered. Some users may already be protected. According to F-Secure, 'A sample that is possibly related to this has been obtained and is detected as Exploit:W32/Ani.C since update 2007-03-29_09. This sample downloads a copy of a Trojan that has already been detected as Trojan-Downloader.Win32.Small.ELA.'
Symantec too says its users remain protected. 'So far, Security Response has received only a handful of submissions of the exploit. Currently, all samples have been detected as either Downloader or Trojan.Anicmoo. The submitted files are generally .ani files from malicious Web sites that have been renamed with a .jpg extension,' it says.
Microsoft suggests reading email only in plain text, ensuring firewall and security software is up to date, keep Windows updated and treat all file transfers with suspicion.
Microsoft says it will be necessary to issue a security update, although it is not yet clear whether this will be within the normal monthly parameters or an out of cycle release.
BCDR buyer's guide for MSPs
How to choose a business continuity and disaster recovery solutionDownload now
The definitive guide to IT security
Protecting your MSP and your customersDownload now
Cost of a data breach report 2020
Find out what factors help mitigate breach costsDownload now
The complete guide to changing your phone system provider
Optimise your phone system for better business resultsDownload now