Top Tech News HOME LATEST NEWS NEWSLETTERS SEARCH Search
  LATEST NEWS FOR SATURDAY MARCH 25

Close Search Box
Top Tech News
NETWORK SECURITY
Microsoft Warns of New Zero-Day Exploit
Posted March 30, 2007
Microsoft Warns of New Zero-Day Exploit
Next Story
EARLIER
Google Pack Adds Free Security Apps
THIS STORY
Microsoft Warns of New Zero-Day Exploit
Next Story
LATER
TJX Says 45 Million Credit Cards Hacked
YOU ARE HERE:   HOME arrow NETWORK SECURITY arrow THIS STORY
NEWS OPS

By Jennifer LeClaire. Updated March 30, 2007 8:22AM

SHARE

ALSO SEE

On Thursday, Microsoft warned that hackers are actively exploiting a zero-day vulnerability in animated cursor, or .ANI, files for Windows. Some security researchers are comparing it to last year's widespread Windows Metafile (WMF) attacks.

Users of most supported versions of Windows and Windows Server, including Vista, are at risk of attackers taking complete control of their system. However, Microsoft offered a silver lining: Users running Windows Vista and Internet Explorer 7 in protect mode should be safe because the security feature doesn't allow files to access or modify any system files without user permission.

"In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or e-mail attachment sent to them by an attacker," Adrian Stone from Microsoft's Security Response Center, wrote in an official advisory.

Security Researchers Scramble

Microsoft is reporting very limited attacks against the newly reported vulnerability in the way Windows handles animated cursor files. Nonetheless, some security researchers believe the new ANI exploit has similar potential to last year's WMF attacks, which rank among the most dangerous and widely exploited vulnerabilities since the Zobot worms of 2005.

Security researchers are scrambling to gather information on the breadth of the risk. Ken Dunham, director of VeriSign iDefense's Rapid Response Team, worked late into Thursday night to collect data on the latest Windows zero-day threat.

"iDefense has confirmed active exploitation of the new ANI exploit in the wild," Dunham reported. "Multiple domains point back to two different hostile servers at this time." There is no known e-mail or file vector exploits in the wild to date, he added, but e-mail possibilities are being researched. In short, Dunham said iDefense has proven that, with few modifications, file execution is possible through the exploit.

Meanwhile, Craig Schmugar, researcher for McAfee Avert Labs, tested the Vista vulnerability and posted a video of the ramifications of the attack on YouTube at youtube.com/watch?v=hf0S0Vk7j6I. "In the process of setting up the environment, I dragged and dropped a malicious ANI file to the desktop," he wrote in the McAfee Avert Labs blog. "This causes Vista to enter an endless crash-restart loop."

Thwarting the Attack

At the time of this writing, mitigation data remains mostly unproved. However, Dunham said unconfirmed data suggests that configuring e-mail clients for plain text might help mitigate the primary vector of initial attacks, though not the vulnerability itself. In addition, he said, blocking all types of e-mail attachments might be required to trap any ANI files that might be disguised within other file types, such as JPEG.

Another security firm, eEye Digital, released a workaround for the zero-day vulnerability as a temporary measure for Microsoft customers. However, the company said the workaround is not meant to replace the forthcoming Microsoft patch.

"The temporary patch aims to mitigate the vulnerability by preventing cursors from being loaded outside of the SystemRoot," the company said in a statement. "This disallows Web sites from loading their own, potentially malicious animated icons, while causing little to no business disruption on hosts with the patch installed."

For its part, Microsoft said it has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability. The software giant said it will continue to investigate the issue.

Tell Us What You Think
Comment:

Name:

MORE IN NETWORK SECURITY

Next Article >

INSIDE TOP TECH NEWS NETWORK SITES SERVICES BENEFITS