Several of my posts over the last few months have centered around very targeted zero-day attacks. This post covers an exploit that McAfee researchers discovered in the field, posted to a message board. That posting was simply a proof of concept; however McAfee Avert Labs has since received a malicious sample as well. It is quite likely that similar exploits targeting this vulnerability are currently being used in other attacks on the web.Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.
The vulnerability lies in the handling of malformed ANI files. Known exploits download and execute arbitrary exe files. This vulnerability is reminiscent of MS05-002.
More information will be posted as it becomes available.
More info.
Update:
The vulnerability ‘causes Vista to enter an endless crash-restart loop’.
Video here:
http://www.avertlabs.com/research/blog/?p=233
More comment here:
http://www.betanews.com/article/Vista_Can_Be_Taken_Down_by_an_Animated_Cursor/1175201875
Hi FwF,
On this site: http://www.malware.com.br/ you can find a special update for ABP in FF or Flock that protects against this. So not only NoScript protects you here, but also this download for Adblock Plus.
polonus
Hi malware fighters,
The exploit is so critical, also in Vsta, that an unofficial patch has been brought out:
http://research.eeye.com/html/alerts/zeroday/20070328.html Mind you this is not an official Microsoft patch.
polonus
VPS content over past month 30.3.2007 - 0729-0Win32:Ani-N [Trj]
Is this a detection for this exploit?
Is this a detection for this exploit?
Yep.
BTW I’d rather recommend against installing any “unofficial” patches, especially in this case…
Cheers
Vlk
Kudos avast! 8)
The following link gives more insight and a solution
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ANICMOO.AX
Thanks for the quick update Avast team.