Microsoft released a security advisory about a flaw in animated cursors which would allow drive-by installs. Windows 2000 SP4 and all recent operating systems are affected, including Vista. IE 7 running on Vista would be protected by a drive-by install if is it running in protected mode. Also, Outlook 2007 uses Word to display messages in preview so it would not be vulnerable.
The only real protection from this vulnerability would be for Microsoft to release a patch. The next “patch Tuesday” is April 10th. [Updated 4/2: Microsoft has said they will release a patch on Tuesday 4/3]
There’s also a significant impact within e-mail. The microsoft security bulliten mentions e-mail as a method to exploit the vulnerabilty.
What might an attacker use this function to do?
An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.
Even previewing the mail message in an preview pane could infect the machine. (See below for exceptions to this)
Microsofts recommendation for e-mail is:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
• Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector. Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.
Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability. Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
• The changes are applied to the preview pane and to open messages.
• Pictures become attachments so that they are not lost.
• Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
Microsoft makes the usual recommendations of not reading e-mail from a source you don’t know. But addresses can be spoofed or faked so any vulnerabity like this (where just viewing the message could infect the pc is a problem). Turnng off the preview pane will prevent accidents. There’s really isn’t any protection until Microsoft releases a patch.
Here’s a video of what happens when the vulnerability is used for a DoS attack on a PC (video via UneasySilence):
Windows PC Have Cursor Hole
Microsoft released a security advisory about a flaw in animated cursors which would allow drive-by installs. Windows 2000 SP4 and all recent operating systems are affected, including Vista. IE 7 running on Vista would be protected by a drive-by install if is it running in protected mode. Also, Outlook 2007 uses Word to display messages in preview so it would not be vulnerable.
The only real protection from this vulnerability would be for Microsoft to release a patch. The next “patch Tuesday” is April 10th. [Updated 4/2: Microsoft has said they will release a patch on Tuesday 4/3]
There’s also a significant impact within e-mail. The microsoft security bulliten mentions e-mail as a method to exploit the vulnerabilty.
Even previewing the mail message in an preview pane could infect the machine. (See below for exceptions to this)
Microsofts recommendation for e-mail is:
Microsoft makes the usual recommendations of not reading e-mail from a source you don’t know. But addresses can be spoofed or faked so any vulnerabity like this (where just viewing the message could infect the pc is a problem). Turnng off the preview pane will prevent accidents. There’s really isn’t any protection until Microsoft releases a patch.
Here’s a video of what happens when the vulnerability is used for a DoS attack on a PC (video via UneasySilence):
Related Posts: