Cursor flaw exposes Windows to malicious code threat

Flaw exposed, with no fix available, whereby malicious code can be installed under the guise of an animated cursor.

Multiple versions of Windows are at risk from a recently discovered security hole, whereby malicious code can find its way onto systems via cursor and icon customisation options.

Microsoft has already posted a security advisory detailing the issue, as well as updating its OneCare security software for consumers in an attempt to minimise the problem ahead of a long-term fix.

The advisory says all of Microsoft's supported versions of Windows for the desktop are affected, from Windows 2000 SP4 to Vista as well as versions of Windows Server 2003.

The affected software performs 'insufficient format validation prior to rendering cursors, animated cursors, and icons'. An attacker can create a web page or embedded email and by persuading a target to view that content could install malicious code on the system.

McAfee says Vista is only vulnerable to a denial of service attack. Microsoft's own investigation has discovered that users of Outlook 2007 are protected against the attack, as are users of Windows Mail on Vista as long as users do not forward or reply to the attacker's email. Outlook Express users are vulnerable, even if they are only viewing mail in text.

Microsoft describes the attacks as 'targeted and not widespread,' although McAfee has discovered many compromised servers hosting the exploit code for this .ani vulnerability. 'Googling the referenced script yields 113,000 results. It's likely that most of those sites were compromised through SQL injection vulnerabilities. Of course many of these sites have been cleaned up, malicious references removed, but not all,' it says.

While OneCare users are protected, users of other security software will be updated as new attacks are discovered. Some users may already be protected. According to F-Secure, 'A sample that is possibly related to this has been obtained and is detected as Exploit:W32/Ani.C since update 2007-03-29_09. This sample downloads a copy of a Trojan that has already been detected as Trojan-Downloader.Win32.Small.ELA.'

Symantec too says its users remain protected. 'So far, Security Response has received only a handful of submissions of the exploit. Currently, all samples have been detected as either Downloader or Trojan.Anicmoo. The submitted files are generally .ani files from malicious Web sites that have been renamed with a .jpg extension,' it says.

Microsoft suggests reading email only in plain text, ensuring firewall and security software is up to date, keep Windows updated and treat all file transfers with suspicion.

Microsoft says it will be necessary to issue a security update, although it is not yet clear whether this will be within the normal monthly parameters or an out of cycle release.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
BT conducts 'world's first' trial of quantum-secure communications
Network & Internet

BT conducts 'world's first' trial of quantum-secure communications

13 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021