US-CERT Technical Cyber Security Alert TA07-089A -- Microsoft Windows ANI header stack buffer overflow

31/03/07, US-CERT Technical Cyber Security Alert TA07-089A -- Microsoft Windows ANI header stack buffer overflow
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: US-CERT Technical Cyber Security Alert TA07-089A -- Microsoft Windows ANI header stack buffer overflow
From: CERT Advisory <cert-advisory@cert.org>
Date: Fri, 30 Mar 2007 14:47:29 -0400
List-archive: <http://www.cert.org/>
List-help: <http://www.cert.org/>, <mailto:Majordomo@cert.org?body=help>
List-owner: <mailto:cert-advisory-owner@cert.org>
List-post: NO (posting not allowed on this list)
List-unsubscribe: <mailto:Majordomo@cert.org?body=unsubscribe%20cert-advisory>
Organization: CERT(R) Coordination Center - +1 412-268-7090

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        National Cyber Alert System

                  Technical Cyber Security Alert TA07-089A


Microsoft Windows ANI header stack buffer overflow

   Original release date: March 30, 2007
   Last revised: --
   Source: US-CERT


Systems Affected

   Microsoft Windows 2000, XP, Server 2003, and Vista are affected.
   Applications that provide attack vectors include:

     * Microsoft Internet Explorer
     * Microsoft Outlook
     * Microsoft Outlook Express
     * Microsoft Windows Mail
     * Microsoft Windows Explorer


Overview

   An unpatched buffer overflow vulnerability in the way Microsoft
   Windows handles animated cursor files is actively being exploited.


I. Description

   A stack buffer overflow exists in the code that Microsoft Windows
   uses to processes animated cursor files. Specifically, Microsoft
   Windows fails to properly validate the size of an animated cursor
   file header supplied in animated cursor files.

   Animated cursor files can be included with HTML files. For
   instance, a web site can use an animated cursor file to specify the
   icon that the mouse pointer should use when hovering over a
   hyperlink. Because of this, malicious web pages and HTML email
   messages can be used to exploit this vulnerability. In addition,
   animated cursor files are automatically parsed by Windows Explorer
   when the containing folder is opened or the file is used as a
   cursor. Because of this, opening a folder that contains a specially
   crafted animated cursor file will also trigger this vulnerability.

   Note that Windows Explorer will process animated cursor files with
   several different file extensions, such as .ani, .cur, or .ico.
   Furthermore, Windows will automatically render animated cursor
   files referenced by HTML documents regardless of the animated
   cursor file extension.

   This vulnerability is actively being exploited.

   More information is available in Vulnerability Note VU#191609.


II. Impact

   A remote, unauthenticated attacker may be able to execute arbitrary
   code. Exploitation may occur when a user clicks a malicious link,
   reads or forwards a specially crafted HTML email, or accesses a
   folder containing a malicious animated cursor file.


III. Solution

   Until a fix is available, refer to the Solution section of
   Vulnerability Note VU#191609 for the latest workarounds.


IV. References

     * Vulnerability Note VU#191609 -
       <http://www.kb.cert.org/vuls/id/191609>

     * Microsoft Security Advisory (935423) -
       <http://www.microsoft.com/technet/security/advisory/935423.mspx>

     * Unpatched Drive-By Exploit Found On The Web -
       <http://www.avertlabs.com/research/blog/?p=230>

     * TROJ_ANICHMOO.AX - Description and Solution -
       <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA07-089A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA07-089A Feedback VU#191609" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2007 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

   Revision History

   March 30, 2007: Initial release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRg0/AOxOF3G+ig+rAQKCXwf/S64JCuEQb5bzW8QcbpxAZ0Zv+xtaoId4
AHRvyperlBad/XIRoYogiLgHWvroIpteaOG0ek4RbQEEdLU+u/LMNVDAE0OaezyR
9NEA8ox7kUDd8RQPIrTeQdgcOWDkWGHs0lnBIkxcmtCroBKXqTl8hDwkWSrIH8nn
PbMJpbryAoB+P1bb+u7txtL46bAihnjGEPR5JU+lBqTmmrfUb3ePokK5HzsbWHXu
UEBfoNxmhajsJejK1A5Oui+oK9VK/K1+XYLCEnvXTWTEiWn8F4Gft3j+fellTRdQ
7BZQ+Vo65HvrtiZHjZCZrkjYgngeWQRv4G9aMGhP/jnb2TlxOAIchw==
=IhG4
-----END PGP SIGNATURE-----

Previous message sorted by date: US-CERT Technical Cyber Security Alert TA07-072A -- Apple Updates for Multiple Vulnerabilities
Next message sorted by date: US-CERT Technical Cyber Security Alert TA07-093A -- Microsoft Update for Windows Animated Cursor Vulnerability
Previous message sorted by thread: US-CERT Technical Cyber Security Alert TA07-072A -- Apple Updates for Multiple Vulnerabilities
Next message by thread: US-CERT Technical Cyber Security Alert TA07-093A -- Microsoft Update for Windows Animated Cursor Vulnerability
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Apr 2007