Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2007 > Microsoft Security Advisory: Vulnerability in Windows Animated Cursor Handling (935423)

March 2007

Microsoft Security Advisory: Vulnerability in Windows Animated Cursor Handling (935423)

ID: 103
Ref: 045/2007
Date: 30 March 2007:11:11:11
Version: 1
Title: Microsoft Security Advisory: Vulnerability in Windows Animated Cursor Handling (935423)
Abstract: Vulnerability in Windows Animated Cursor
Vendors affected: Microsoft
Operating systems affected: Microsoft
Applications affected: Microsoft
Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files.

The threat is caused by insufficient format validation prior to rendering cursors, animated cursors, and icons. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability, view a specially crafted e-mail message, or opening a specially crafted email attachment sent to them by an attacker.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources. Microsoft is monitoring the issue and will update the Advisory and blog as new information becomes available. Upon completion of this investigation, Microsoft will take the appropriate action to help protect its customers.


Affected Software

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista


Microsoft FAQ

Animated Cursor is a component of Microsoft Windows.

What does this feature do?
Animated cursors are a feature that allows a series of frames, one after another, to appear at the mouse pointer location instead of a single image, thus producing a short loop of animation. The Animated Cursors feature is designated by the .ani suffix.

What might an attacker use this function to do?
An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.


Mitigating Factors for Animated Cursor Vulnerability

Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode. For more information on Internet Explorer Protected Mode see the following Web Site.

By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it serve up a Web page with malicious content attempting to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or a site compromised by the attacker.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


Further Reading

Microsoft:
http://www.microsoft.com/technet/security/advisory/935423.mspx
http://blogs.technet.com/msrc/archive/2007/03/29/microsoft-security-advisory-935423-posted.aspx

Arbor Networks
http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

SANS:
http://isc.sans.org/diary.html?storyid=2534

Security Focus:
http://www.securityfocus.com/bid/23194

McAfee:
http://www.avertlabs.com/research/blog/?p=230

US-CERT VU#191609:
http://www.kb.cert.org/vuls/id/191609

Various malware exploiting the vulnerability:

TROJ_ANICMOO.AX
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX

Exploit-ANIfile.c
http://vil.nai.com/vil/content/v_141860.htm

______________________________________________________________________________
CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

CPNI wishes to acknowledge the contributions of Microsoft for the information contained in this advisory.
______________________________________________________________________________
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |