Animated Cursors, Yet Another Zero-Day Vulnerability
It wasn’t too long ago most security experts told folks that just viewing photos online wouldn’t be dangerous. The warning was never to download an “executable” file but images were just data so, no problem. Or so it should have been.
Then came news of flaws in the Windows GDI+ module which allowed JPG buffer overflows, and the infamous “Zero-Day WMF Exploit”. Just by viewing a web site hosting an specially crafted image made you vulnerable. Since that time a number of Web site analysis programs have been developed like Site Advisor, LinkScanner Monitor and Trend Micro’s new Web Reputation technology.
Microsoft Security Response Center is now investigating a new threat in how Windows handles animated cursor or .ANI files. According to Adrian Stone who writes for the Response Center’s Blog,“Regardless of if you are reading your mail in plain text on Outlook Express you are not protected.”
Microsoft Security Advisory(935423)
Brian Krebs who writes Security Fix for the Washington Post has followed too many zero-day vulnerabilities in Windows and sounded like he’s had enough in his column yesterday.
Microsoft's advice about visiting "untrusted Web sites" is not entirely helpful or complete. We've seen plenty of these attacks executed through legitimate Web sites that attackers have seeded with malicious software. It may be best to choose another browser, such as Mozilla's Firefox or Opera Software's Opera. This is an excellent example of how running Windows under a limited user account can save you from worrying about these kinds of threats.
Update: We have had two confirmed reports of detections of this threat in the form of WINCF.EXE. WinPatrol was able to chew it up and spit it out so, as always I recommend keeping Scotty on patrol along with any other favorite protection programs.