Monday, April 2, 2007

New threat - Windows's ANI exploit

Cnet security site is reporting Window's animated cursor exploit.
Direct link: http://reviews.cnet.com/4520-6600_7-6722377-1.html

If you happend to be received some spam emails with free Windows animated cursors attached, then do Not installs them! and run Windows update to obtain security patch from Microsoft.
Microsoft security pacth for animated cursor vulnerabilities Download link: here


From Cnet Security Center:-

Windows animated cursor attackThe way Microsoft Windows handles animated cursors on Web sites puts PCs at risk.By Robert Vamosi (March 30, 2007)(revised 4/2/07)
QUICK FACTS
Name: Windows animated cursor attack Date first reported: 03/29/07 CVE Number: CVE 2007-0038 Vulnerable software: Microsoft Windows 2000, SP1 through Windows Vista. What it does: Causes a denial of service attack (persistent reboot) or could allow remote access. Recommendations: Use an Internet browser other than Microsoft Internet Explorer, such as Firefox or Opera. Exploit code available: Yes Vendor patch available: Expected April 3, 2007.

8out of 10INTERNET THREAT RATINGHow we rate There's a new Microsoft Windows vulnerability being exploited across the Internet on over 100 Web sites, according to security vendor Websense. The vulnerability is caused by an unspecified error in the way Windows 2000, XP, and Vista handles animated cursors. Animated cursors allow a mouse pointer to appear animated on a Web site. The feature is often designated by the .ani suffix, but attacks for this vulnerability are not constrained by this file type so simply blocking .ani files won't necessarily protect a PC. Users need not do anything but visit a compromised site to become infected. Antivirus vendor F-Secure reports there's also a worm associated with this vulnerability.
Successful exploitation can result in memory corruption when processing cursors, animated cursors, and icons. According to Arbor Networks, the malicious code on compromised Web sites exploiting this flaw appears to be originating from the following sites, which you may want to block:
wsfgfdgrtyhgfd.net
85.255.113.4
uniq-soft.com
fdghewrtewrtyrew.biz
newasp.com.cn
To become infected, users must be using Internet Explorer 6 or 7; there is no need to click, just visiting an infected site is enough for an infection. The flaw does not affect Firefox or Opera Internet Browsers. Microsoft will release a patch on April 3, 2007. Until a patch is released, users should browse the Internet using a non-Internet Explorer browser. There is also a third-party (non-Microsoft) patch available here from the Zeroday Emergency Response Team (ZERT), however, this patch is offered "as is" and will need to be manually removed when Microsoft issues the official patch tomorrow.
Additional Resources
Microsoft: Advisory 935423
Zeroday Emergency Response Team (ZERT): Unofficial patch
NIST: CVE-2007-0038
Arbor Networks: Any Ani file could infect you
Websense: Alert
F-Secure: Blog post

No comments:

Global Virus Map