Zoeken:

Nieuws:
TippingPoint Roadshow
IPv6 Evenement
Run op thuiswerkoploss...
XS4ALL organiseert vei...
TUNIX-opleidingen Cede...

Alerts:
Adobe Acrobat and Reade...
Kwetsbaarheid certifica...
CERT-2008-1447 DNS vuln...
Animated cursor ANI exp...
MS Internet Explorer vu...
External DNS recursion ...

Gemeente Ede:
Gemeente Ede
"... Security-oplossingen zijn inmiddels zo complex dat er specialistische kennis voor nodig is. TUNIX biedt ons precies die aanvulling die wij zoeken: een partner met uitgebreide kennis en ervaring en die dus weet waar het om gaat bij beveiligen ..."

Vacatures:

Support / Alerts

Microsoft Windows animated cursor ANI header stack buffer overflow exploit

Over the last few days, multiple real-world eplxoits have been reported using the recently disclosed buffer overflow in the handling of animated cursor files under Microsoft Windows operating systems. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

Microsoft has published the following Security Advisory regarding this exploit:

http://www.microsoft.com/technet/security/advisory/935423.mspx

This vulnerability could be exploited by creating a specially crafted web page or create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.
As a consequence, this eploit is difficult to detect or block. A final solution can only be made available by Microsoft in the form of a patch.

2007-04-04 : Update !!

On tuesday 2007-04-03, Microsoft has published an out of schedule patch that should resolve this issue.
This patch can be downloaded from the following location where you can also find more information about the specific patch:

http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

It is strongly advised to patch all systems affected by this vulnerability as soon as possible.

Until a fix is installed, the following workarounds may reduce the chances of exploitation:

  • * Block access to malformed ANI files at network perimeters
    By blocking access to malformed ANI files using HTTP proxies, mail gateways, and other network filter technologies, system administrators may also limit potential attack vectors. Please be aware that filtering based just on the ANI, CUR, or ICO file extensions will not block all known attack vectors for this vulnerability.

  • * Configure Outlook to display messages in plain text
    An attacker may be able to exploit this vulnerability by convincing a user to display a specially crafted HTML email. This can happen automatically if the preview pane is enabled in your mail client. Configuring Outlook to display email in plain text can help prevent exploitation of this vulnerability through email. Consider the security of fellow Internet users and send email in plain text format when possible.

    Note: The Outlook Express option for displaying messages in plain text will not prevent exploitation of this vulnerability. This workaround is only viable for systems with Microsoft Outlook.

  • * Disable email preview pane
    By disabling the preview pane in your mail client, incoming email messages will not be automatically rendered. This can help prevent exploitation of this vulnerability.

  • * Configure Windows Explorer to use Windows Classic Folders
    When Windows Explorer is configured to use the "Show common tasks in folders" option, HTML within a file may be processed when that file is selected. If the "Show common tasks in folders" is enabled, selecting a specially crafted HTML document in Windows Explorer may trigger this vulnerability. Note that the "Show common tasks in folders" is enabled by default. To mitigate this attack vector, enable the "Use Windows classic folders" option. To enable this option in Windows Explorer:
    1. Open Windows Explorer
    2. Select Folder Options from the Tools menu
    3. Select the "Use Windows classic folders" option in the Tasks section

  • * Do not follow unsolicited links
    In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.


The TUNIX/Firewall can be configured to block ANI and other files in HTTP or email traffic. Such a block can reduce the risk of an exploit, although it is no 100% garantee. If you would like assistance in implementing such a block on the TUNIX/Firewall, please contact TUNIX.
Also for any other questions concerning this or other exploits, please contact TUNIX Support. The quickest way to do that is via email ('fwsupport@tunix.nl') or phone (024-3455012).

Sincerely,

On behalf of TUNIX Support, Y. Ehlers

Back to the overview...