On Thursday, Microsoft warned that hackers are actively exploiting a zero-day vulnerability in animated cursor, or .ANI, files for Windows. Some security researchers are comparing it to last year's widespread Windows Metafile (WMF) attacks.
Users of most supported versions of Windows and Windows Server, including Vista, are at risk of attackers taking complete control of their system. However, Microsoft offered a silver lining: Users running Windows Vista and Internet Explorer 7 in protect mode should be safe because the security feature doesn't allow files to access or modify any system files without user permission.
"In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or e-mail attachment sent to them by an attacker," Adrian Stone from Microsoft's Security Response Center, wrote in an official advisory.
Security Researchers Scramble
Microsoft is reporting very limited attacks against the newly reported vulnerability in the way Windows handles animated cursor files. Nonetheless, some security researchers believe the new ANI exploit has similar potential to last year's WMF attacks, which rank among the most dangerous and widely exploited vulnerabilities since the Zobot worms of 2005.
Security researchers are scrambling to gather information on the breadth of the risk. Ken Dunham, director of VeriSign iDefense's Rapid Response Team, worked late into Thursday night to collect data on the latest Windows zero-day threat.
"iDefense has confirmed active exploitation of the new ANI exploit in the wild," Dunham reported. "Multiple domains point back to two different hostile servers at this
time." There is no known e-mail or file vector exploits in the wild to date, he added, but e-mail possibilities are being researched. In short, Dunham said iDefense has proven that, with few modifications, file execution is possible through the exploit.
Meanwhile, Craig Schmugar, researcher for McAfee Avert Labs, tested the Vista vulnerability and posted a video of the ramifications of the attack on YouTube at youtube.com/watch?v=hf0S0Vk7j6I. "In the process of setting up the environment, I dragged and dropped a malicious ANI file to the desktop," he wrote in the McAfee Avert Labs blog. "This causes Vista to enter an endless crash-restart loop."
Thwarting the Attack
At the time of this writing, mitigation data remains mostly unproved. However, Dunham said unconfirmed data suggests that configuring e-mail clients for plain text might help mitigate the primary vector of initial attacks, though not the vulnerability itself. In addition, he said, blocking all types of e-mail attachments might be required to trap any ANI files that might be disguised within other file types, such as JPEG.
Another security firm, eEye Digital, released a workaround for the zero-day vulnerability as a temporary measure for Microsoft customers. However, the company said the workaround is not meant to replace the forthcoming Microsoft patch.
"The temporary patch aims to mitigate the vulnerability by preventing cursors from being loaded outside of the SystemRoot," the company said in a statement. "This disallows Web sites from loading their own, potentially malicious animated icons, while causing little to no business disruption on hosts with the patch installed."
For its part, Microsoft said it has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability. The software giant said it will continue to investigate the issue.