Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Friday, March 30, 2007

Animated Cursors, Yet Another Zero-Day Vulnerability

It wasn’t too long ago most security experts told folks that just viewing photos online wouldn’t be dangerous. The warning was never to download an “executable” file but images were just data so, no problem.  Or so it should have been.

Then came news of flaws in the Windows GDI+ module which allowed JPG buffer overflows, and the infamous “Zero-Day WMF Exploit”.   Just by viewing a web site hosting an specially crafted image made you vulnerable.  Since that time a number of Web site analysis programs have been developed like Site Advisor, LinkScanner Monitor and Trend Micro’s new Web Reputation technology.

Microsoft Security Response Center is now investigating a new threat in how Windows handles animated cursor or .ANI files. According to Adrian Stone who writes for the Response Center’s Blog,“Regardless of if you are reading your mail in plain text on Outlook Express you are not protected.”
Microsoft Security Advisory(935423)

Brian Krebs who writes Security Fix for the Washington Post has followed too many zero-day vulnerabilities in Windows and sounded like he’s had enough in his column yesterday.

Microsoft's advice about visiting "untrusted Web sites" is not entirely helpful or complete. We've seen plenty of these attacks executed through legitimate Web sites that attackers have seeded with malicious software. It may be best to choose another browser, such as Mozilla's Firefox or Opera Software's Opera. This is an excellent example of how running Windows under a limited user account can save you from worrying about these kinds of threats.

Update: We have had two confirmed reports of detections of this threat in the form of WINCF.EXE. WinPatrol was able to chew it up and spit it out so, as always I recommend keeping Scotty on patrol along with any other favorite protection programs.

Share on Facebook


Blogger Unknown said...

Be aware that if you use this or any 3rd party patches, you do so at your own risk.

Patches should be removed before any official patch is provided by Microsoft.

1:17 PM  
Anonymous Anonymous said...


The Microsoft Security Response Center blog reports that they "have been working around the clock to test this update and are currently planning to release the security update that addresses this (ANI) issue on Tuesday April 3, 2007."

Microsoft Security Bulletin Advance Notification supports this information.


6:28 AM  
Blogger Unknown said...


I haven't researched any of the payloads yet but as I mentioned we have had confirmations of the file Wincf.exe which as been identified with it. Now that the proof of concept code has been made public we could see all sorts of malware symptoms.

Until you're patched I would stick with familiar web sites and don't open any Email that says "Britney spears naked". But, I don't think I need to tell you that. ;)

1:22 PM  

Post a Comment

<< Home