Here's the scoop on the Windows animated cursor bug

Microsoft is promising an early patch for the ANI vulnerability

What attack vectors are hackers using? So far, it's the usual panoply of suspects, including spammed e-mails with links to malicious sites and malicious and compromised sites that have tucked malformed ANI files on their pages. Websense, for example, says that some of the malicious domains are identical to ones used in the early February compromise of the Dolphin Stadium site just before Super Bowl XLI. The stadium's Web site served up a host of malware to visitors. Up to this point, however, there is one glimmer of hope: active exploits are directed against Windows XP SP2 only.

What else can they use? You name it, they'll use it. Specifically, several of Microsoft's e-mail clients, including the for-free Outlook Express and Windows Mail (in Vista) are vulnerable to attacks that package an ANI file in an HTML message. Users who only preview such messages can be infected, says the SANS Institute.

Are there patches for this? Yes and no. Those that are out now don't come with the Microsoft seal of approval. Two patches have been issued since last week. First to the plate was eEye, which on Friday released a fix it said blocked the loading of any ANI file from outside the local system. The Zeroday Emergency Response Team (ZERT), a loose affiliation of security researchers, issued its own patch Saturday.

What about Microsoft? Microsoft, as is its practice, took a dim view of the third-party patches from eEye and ZERT. "While we appreciate that these are provided to help protect customers, we do recommend that customers only apply security updates and mitigations provided by the original software vendor," said MSRC program manager Christopher Budd on the team's blog. "This is because as the maker of the software, we can give our security updates and guidance thorough testing and evaluation for quality and application compatibility purposes. We're not able to provide similar testing for independent third party security updates or mitigations." That said, after the usual comments last week -- we're investigating, attacks are limited -- the MSRC on Sunday said it had a patch wrapped up, more or less, and would issue an official fix on Tuesday, a week earlier than the normal second-Tuesday-of-the-month security update.

Why can't I just block ANI files? Nice try. But exploits have been spotted that disguise the malicious ANI files as JPG image files. This hacker tactic is common; the massive WMF attacks in late 2005 and early 2006 also camouflaged malformed Windows Metafile images with other extensions.

Are there any other steps I can take while waiting for Microsoft's patch? If you're uncomfortable with applying a third-party patch, you might want to switch to an alternate browser, say Firefox 2.0, temporarily. Current exploits are targeting Microsoft's Internet Explorer only, and several vendors, including Symantec, have gone on record as saying Firefox is not vulnerable. That may change, however, since there isn't anything in Firefox that expressly prevents an attack. On the e-mail front, both Microsoft and SANS confirm that Outlook 2007 is invulnerable to attacks. Outside of those software choices, other things to do include updating anti-virus software (most vendors now detect the known exploits), avoiding untrusted Web sites (you know what we're talking about), and not clicking on links in unsolicited e-mail messages. You know, the usual drill for avoiding an infection.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about eEye Digital SecurityMcAfee AustraliaMicrosoftMSA (Aust)SANS InstituteSymantecWebsense

Show Comments