Exploit for "Zero-Day" Vulnerability Detected by Microsoft

31.03.2007 New MS Windows Exploit see here: Microsoft Security Advisory (935423) and it still no fixed :frowning:

There are new detections in the VPS for this vulnerability and it has been discussed in the forums previously. Check the VPS History and look for win32:ani- lots added in todays VPS update and many more a few days ago, 30/4, 31/4.

No, you missunderstood me :-. I mean to say that Microsoft hasn’t release a fix to that “hole” ::slight_smile:

They are by all accounts going to release one tomorrow Wed 3rd April, avast general forum, >> Updates << topic.

Thankfully avast have been all over it like a rash with the VPS updates.

Hi avatar2005 and DavidR,

Good that avast protects us from the first worm that uses the animated cursor leak in Windows. This worm spreads through e-mails and infected websites. So using Firefox browser until the hole is patched is recommended. Whenever you view the HTML the worm can be spread further, not only via the ANI-exploit, also through USB sticks and other media. The worm changes the settings of the Host file, and downloads a variant of the Trojan-PWS.Win32OnLineGames malware.
Microsoft was aware of this hole since December last. In severity the ANI-leak equals the WMF bug, so Internet Storm Center has yellow now.
ANI files date from the days of Windows 3.1. It is a bug in user32.dll, present in all 32bit Windows versions.
Actually it is a ridiculously simple bug, a stack-overflow in the second non-checked part of the ANI-header, more so while a similar stack overflow had been found in the first part of the ANI-header in 2005.
I think we are unaware of what holes lay dormant waiting for us to be discovered in the near future.

polonus

Microsoft knew of Windows .ANI flaw since December 2006
http://blogs.zdnet.com/security/?p=143&tag=nl.e589

Which is why will never use Internet Explorer again. Microsoft is notified of flaws and rather than address it immediately with at least some advice/warnings to their customers, they stay silent for four months before even mentioning it. I understand it can take time for them to come up with a permanent solution, but in the meantime users who don’t know any better are infecting their machines daily. All Microsoft’s silence does is perpetuate the proliferation of viruses around the world.

is this the one you are talking about ???
ANI Exploits - Microsoft releasing emergency patch on April 3rd

I’d suggest the following:

  • Make sure anti-virus is on the latest definitions on servers and clients
  • Avoid the eEye and ZERT patches in favor of the official patch
  • Look at mitigating factors documented in the MS advisory
  • Pilot test and roll the official patch out promptly
  • All HTML code is now a little more dangerous and folks should be extra careful with email and website visitations.

ANI Exploits - Microsoft releasing emergency patch on April 3rd
http://www.microsoft.com/technet/security/...in/advance.mspx
http://isc.sans.org/diary.html?storyid=2555

Most of you probably won’t have to worry though, because most use either Opera or Firefox as their browser. This vulnerability only applies to Internet Explorer 6 or 7 on Windows 2000, XP, 2003, and Vista. However, if you’re using IE 7 on Vista and you have the User Account Control (UAC) enabled then you are also fine. When you have UAC enabled it will force IE 7 to run in “protected mode” which is helpful at preventing unwanted attacks such as this one.

Hi drhayden1,

What I cannot understand is that this hole has been there since the days of Windows 3.1 (in computer terms that is Dino time), they had it in 2005 (other (first) part of the ANI-header), then warned for this one since 2006, and only when the cat is out of the basket they hurry for an emergency patch to be brought out.
The stack overflow was that simple you can take it from any hacker example textbook.

It is the same like you would steer a hum V built on a Volkwagen beetle frame and parts. Would not it rattle while the repair man running next to it to keep it patched? Who is living in cuckoo-land now?

polonus

Well I don’t have a Vista to use UAC, but I indeed use a Opera 9.1, so I think, I’m protected better than those who use IE. ::slight_smile: ???

same here use opera and also avant(ie clone)but won’t use for the time being :o
and polonus why didn’t they take care of this problem long ago but finally since the cat is out of the hat they are running around like crazy mice fixing the problem 8)
click on pic to enlarge ::slight_smile:

If you want to hear more about this, Steve Gibson has made a special edition of Security Now that talks about this.

http://www.twit.tv/SN

thanks marc57
Depending upon your level of concern and/or exposure you could install the eEye patch now, or wait (one day) for Microsoft’s official update. But be sure to look for this update on or after Tuesday, April 3rd.-sure will-but will get the official update to be on the safe side ::slight_smile:
click to make kiss a-little bigger ;D

Hi drhayden1,

What shall we say to the “mice”. We read in the textbook that counter-measures can be taken against stack overflow vulnerabilities, that is using secure programming code. Well no code is free of errors, but all too often code is produced that is brought in to solve some urgent problem (as is demonstrated here again), security in that case is often not taken as a first priority. Vendors of code (Microsoft at all included) are sloppy with code, too many are aware their code is full of holes, but do not want to pay attention or try to solve problems later in the form of a patch. Secure compilers shouild be used; arguments should be validated whether they are user- or program-directed. This may slow programs down slightly, but security of the application is enhanced. Use secure routines and check the return codes. Minimalize the number of processes that run. And install all vendor patches.
We advice not to install third party patches. The eEye patch already being circumvented by the malcreants. But our mice can read text books as well I think,

polonus

thanks for the advice and or warning my friend on the patch issue…will wait till microsoft and their mouse running around with their heads cut off release the patch for us we thought protected computers users can get ::slight_smile: ??? 8)
end of story :o

Thanks for the pic. I think I’ll wait until tomorrow, I’m running I.E. in protected mode and have Windows Mail set for text only so I think I’ll be OK. (hope)

explain your protected mode or stealth mode you are running to say that your are protected…just curious ??? ::slight_smile:
click on pic to enlarge ::slight_smile: :stuck_out_tongue:

It was stated by Microsoft that if you have I.E. set to protected mode (Vista only) that it would stop the exploit if you browsed to a bad site.

“The exposure to attacks that exploit the flaw is mitigated on Vista machines with Internet Explorer 7, Microsoft noted. IE 7 protected mode shields the computer against drive-by installations because the browser is restricted to where it can write files.”

(You have to have UAC turned on for this to work)

ok-you are right on that-later my friend-stay protected in all things you do :wink:

Thanks my friend, I’ll try. One more thing, Your protected on the e-mail front if Windows Mail is set to text only, BUT if you reply or foreward the bad e-mail you can get infected because (for some reason) Windows Mail turns it back to HTML. ???