On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet

March 29th, 2007

Microsoft confirms Windows zero-day, drive-by exploits

Posted by Ryan Naraine @ 9:42 am

Categories: Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, McAfee, Microsoft, Mozilla, Patch Watch, Pen testing, Piracy, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Microsoft Windows XP Service Pack 2, Attacker, Microsoft Windows XP, Vulnerability, Microsoft Windows, Microsoft Internet Explorer, Microsoft Corp., Attack, Ryan Naraine

[UPDATE: March 29, 2007 @ 1:15 PM Eastern] Microsoft has confirmed that this is indeed a zero-day flaw that will require a security update. Although Internet Explorer is the primary attack vector, this is a vulnerability in the way Windows handles animated cursor (.ani) files.

From Redmond's security advisory:

The threat is caused by insufficient format validation prior to rendering cursors, animated cursors, and icons.

An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.

A zero-day vulnerability in Microsoft's dominant Internet Explorer browser is being used in drive-by attacks against fully patched Windows XP SP2 systems, according to warnings from anti-virus vendors..

McAfee was the first to raise the alert for the attacks, warning that the exploit simply requires that a user is lured to a maliciously rigged Web page:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

According to McAfee researcher Craig Schmugar, the flaw exists in the way IE handles malformed .ani files. (The .ani file format is used to read and store Windows Animated Cursors) and can be easily placed on an attacker's Web site to trigger the vulnerability).

Multiple sources in the anti-malware community have confirmed McAfee's discovery, which includes the use of arbitrary .exe files and Trojan downloaders.

Trend Micro has posted an alert with a diagram explaining the characteristics of the attack:

 IE zero day attack characteristic

The flaw is believed to be a variant of a Windows vulnerability patched in January 2005 with the MS05-002 bulletin. Microsoft has confirmed to McAfee that this is a zero-day vulnerability. A formal security advisory will be posted here later today (See update above for info on Microsoft's formal confirmation).

Affected Products:

Windows XP Service Pack 2, Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Windows Server 2003 SP1
Microsoft Windows Internet Explorer 7 for Windows XP SP2
Microsoft Windows Internet Explorer 7 for Windows Server 2003 SP1

Web surfers using Internet Explorer 7 on Windows Vista are protected from currently known Web-based attacks due to Internet Explorer 7.0 protected mode.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 64 Talkback(s)
I certainly don't remember anybody asking for it
This is about security. Just because they want it doesn't mean it's good for them. I'm sure a lot of people didn't like UAC, but that didn't prevent them from implementing it.

"Stop faulting Mi... (Read the rest)
Posted by: CobraA1 Posted on: 04/02/07 You are currently: a Guest | | Terms of Use
Ouch...  Linux User 147560 | 03/29/07
Re: Use Firefox or Opera  M.R. Kennedy | 03/29/07
Please read the article!  linux for me | 03/29/07
hummmm ...  trial.manager@... | 03/30/07
Any browser?  JDThompson | 03/30/07
FF 2.x a Seciurity nightmare?  trial.manager@... | 03/30/07
Ouch 7.0  Mectron | 03/29/07
Did you bother to read the article?  jinko | 03/29/07
It's a fair bet  Michael Kelly | 03/29/07
Rhythm method.  Resuna | 03/29/07
Rhythm method.  aussieblnd@... | 03/29/07
Opera 9  Scrat | 03/29/07
Why Opera?  trial.manager@... | 03/30/07
Opera Always Fully Patched  stds | 03/30/07
Tell me AGAIN why we have to wait a whole month for updates (nt)  CobraA1 | 03/29/07
Because MS says so  frgough | 03/29/07
lol  CobraA1 | 03/29/07
Because CUSTOMERS ASKED for it.  ye | 03/30/07
I certainly don't remember anybody asking for it  CobraA1 | 04/02/07
Microsoft can't afford it, that's why.  HypnoToad72 | 03/29/07
Another OverHyped Story  rkuhn040172@... | 03/29/07
Not quite, fella  bixbyru@... | 03/29/07
Well done!  bitfuzzy | 03/29/07
Noone is not a Word  gtwilliams | 03/29/07
Noone  brichter | 03/29/07
To Bix, plus to Ryan - incomplete article and *no one* is safe!  TG2 | 03/30/07
Very old news  Lord_Jimbo | 03/30/07
IE7 in Protected Mode ?  dlmeyer@... | 03/29/07
What? A Non-starter?  Heatlesssun1 | 03/29/07
Reuse of a Name  fde101 | 03/30/07
Safari...  brichter | 03/29/07
Safari is awesome  fde101 | 03/30/07
I find it hard to believe.  Resuna | 03/29/07
Right  frgough | 03/29/07
Read about protected mode security first  Heatlesssun1 | 03/29/07
Read the article  aussieblnd@... | 03/29/07
It won't be that easy  Heatlesssun1 | 03/29/07
A point not considered is  Hrothgar - PCLinuxOS User | 03/30/07
And you should not...  Solid Water | 03/29/07
And yet that same article says...  3D0G | 03/30/07
IE7  jskline0@... | 03/29/07
Welcome to ZD-Hype  Narg | 03/29/07
Welcome to ZD-Hype  aussieblnd@... | 03/29/07
Hype?  ebayironman | 03/29/07
Hype?  firehound | 03/29/07
What a surprise  Chad_z | 03/29/07
Once again, incorrect info on the ZDNet News home page  PB_z | 03/29/07
Loverock, where are you?  jolumoar | 03/29/07
You don't have quite right (but you're close)  shawkins | 03/29/07
He's occupied with the GPLv3 thread  Ole Man | 03/29/07
Another thing... "Redmond's" security advisory?  PB_z | 03/29/07
... who's still using IE7 ...  trial.manager@... | 03/30/07
Re... Who's still using IE7?  harrisharris | 03/30/07
Drive By?  mrcomputer@... | 03/30/07
you are just plain sad!  Reverend MacFellow | 03/30/07
Obviouslly, neither do you  John Zern | 03/30/07
jeebus  Tiquor | 03/30/07
It must be a word because Homer Simpson said it.  kalatuckar@... | 03/30/07
Drivvvvveeee byyyyyyy!  Reverend MacFellow | 03/30/07
Forsooth  mgbrown69@... | 03/30/07
OS type and attacks  mafer_z | 03/30/07
Gee, what timing, the sky is falling...  tek_heretik | 03/30/07
Gee, 2k sp4 is not in the list, looks like...  tek_heretik | 03/30/07
Why do you even bother to post?  ye | 03/30/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here