Friday, March 30, 2007

Microsoft Cursor & Icon ANI Format Handling Remote Code Execution Vuln

Via McAfee Avert Labs Blog -

Several of my posts over the last few months have centered around very targeted zero-day attacks. This post covers an exploit that McAfee researchers discovered in the field, posted to a message board. That posting was simply a proof of concept; however McAfee Avert Labs has since received a malicious sample as well. It is quite likely that similar exploits targeting this vulnerability are currently being used in other attacks on the web.

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

The vulnerability lies in the handling of malformed ANI files. Known exploits download and execute arbitrary exe files. This vulnerability is reminiscent of MS05-002.


More on this serious new vulnerability at the following locations.

eEye ANI ZeroDay Patch

MSRC Blog - Microsoft Security Advisory 935423

No comments:

Post a Comment