p2pnet.net news:- To borrow a phrase from Shakespeare, beware the “arrows of outrageous fortune,” because the humble cursor is central to the latest serious security danger to threaten Windows users.

And it’s currently being used in hack attacks.

A new security hole discovered by McAffee affects the way Windows handles animated cursors, and could leave PCs open, says US-CERT. The unpatched stack buffer overflow vulnerability in Microsoft Windows could allow an attacker to execute arbitrary code, it says.

“Configuring Outlook Express to read email in plaintext will not protect against this vulnerability,” warns US-CERT (the United States Computer Emergency Readiness Team).

“Outlook Express in plaintext mode will download and parse a malicious .ANI file referenced in the email message without prompting.”

The hole has been opened because Windows fails to properly handle specially crafted animated cursor (ANI) files, states US-CERT, going on.

“According to public reports, this vulnerability is actively being exploited via Internet Explorer. Specifically, the reports claim that browsing to a specially crafted web page with Microsoft Internet Explorer results in exploitation.”

Posts US-CERT:

Vulnerability Note VU#191609

Microsoft Windows animated cursor ANI header stack buffer overflow

Overview

Microsoft Windows contains a stack buffer overflow in the handling of animated cursor files. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

I. Description

Animated cursor files (.ani) contain animated graphics for icons and cursors. A stack buffer overflow vulnerability exists in the way that Microsoft Windows processes malformed animated cursor files. Microsoft Windows fails to properly validate the size specified in the ANI header. Note that Windows Explorer will process ANI files with several different file extensions, such as .ani, .cur, or .ico.

Note that animated cursor files are parsed when the containing folder is opened or it is used as a cursor. In addition, Internet Explorer can process ANI files in HTML documents, so web pages and HTML email messages can also trigger this vulnerability.

More information on this vulnerability is available in Microsoft Security Advisory (935423).

This vulnerability is being actively exploited.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition.

III. Solution

We are unaware of a practical solution to this vulnerability. Until a fix is available, the following workarounds may reduce the chances of exploitation:

Configure Outlook to display messages in plain text

An attacker may be able to exploit this vulnerability by convincing a user to display a specially crafted HTML email. This can happen automatically if the preview pane is enabled in your mail client. Configuring Outlook to display email in plain text can help prevent exploitation of this vulnerability through email. Consider the security of fellow Internet users and send email in plain text format when possible.

Note: The Outlook Express option for displaying messages in plain text will not prevent exploitation of this vulnerability. This workaround is only viable for systems with Microsoft Outlook.

Disable preview pane

By disabling the preview pane in your mail client, incoming email messages will not be automatically rendered. This can help prevent exploitation of this vulnerability.

Configure Windows Explorer to use Windows Classic Folders

When Windows Explorer is configured to use the “Show common tasks in folders” option, HTML within a file may be processed when that file is selected. If the “Show common tasks in folders” is enabled, selecting a specially crafted HTML document in Windows Explorer may trigger this vulnerability. Note that the “Show common tasks in folders” is enabled by default. To mitigate this attack vector, enable the “Use Windows classic folders” option. To enable this option in Windows Explorer:

* Open Windows Explorer

* Select Folder Options from the Tools menu

* Select the “Use Windows classic folders” option in the Tasks section

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Slashdot it!

Also See:
US-CERT - Active Exploitation of an Unpatched Vulnerability in Microsoft Windows ANI Handling, March 29, 2007

If your Net access is blocked by government restrictions, try Psiphon from the Citizen Lab at thIs the end (of the Net) nigh?zze University of Toronto’s Munk Centre for International Studies. Go here for the official download, here for the p2pnet download, and here for details. And if you’re Chinese and you’re looking for a way to access independent Internet news sources, try Freegate, the DIT program written to help Chinese citizens circumvent web site blocking outside of China. Download it here.

---

rss feed: http://p2pnet.net/p2p.rss | | Mobile - http://p2pnet.net/index-wml.php | | And use free p2pnet newsfeeds for your site

---

Tired of being treated like a criminal? They depend on you, not the other way around. Don’t buy their ‘product’. Do bug your local politicians. Use emails, snail-mail, phone calls, faxes, IM, stop them in the street, blog. And if you’re into organizing, organize petitions, organize demonstrations and then turn up on your local political rep’s doorstep, making sure you’ve contacted your local tv/radio station/newspaper in advance. Don’t just complain. Do something!

This entry was posted on Saturday, March 31st, 2007 at 7:46 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1697 times