-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-089A Microsoft Windows ANI header stack buffer overflow Original release date: March 30, 2007 Last revised: -- Source: US-CERT Systems Affected Microsoft Windows 2000, XP, Server 2003, and Vista are affected. Applications that provide attack vectors include: * Microsoft Internet Explorer * Microsoft Outlook * Microsoft Outlook Express * Microsoft Windows Mail * Microsoft Windows Explorer Overview An unpatched buffer overflow vulnerability in the way Microsoft Windows handles animated cursor files is actively being exploited. I. Description A stack buffer overflow exists in the code that Microsoft Windows uses to processes animated cursor files. Specifically, Microsoft Windows fails to properly validate the size of an animated cursor file header supplied in animated cursor files. Animated cursor files can be included with HTML files. For instance, a web site can use an animated cursor file to specify the icon that the mouse pointer should use when hovering over a hyperlink. Because of this, malicious web pages and HTML email messages can be used to exploit this vulnerability. In addition, animated cursor files are automatically parsed by Windows Explorer when the containing folder is opened or the file is used as a cursor. Because of this, opening a folder that contains a specially crafted animated cursor file will also trigger this vulnerability. Note that Windows Explorer will process animated cursor files with several different file extensions, such as .ani, .cur, or .ico. Furthermore, Windows will automatically render animated cursor files referenced by HTML documents regardless of the animated cursor file extension. This vulnerability is actively being exploited. More information is available in Vulnerability Note VU#191609. II. Impact A remote, unauthenticated attacker may be able to execute arbitrary code. Exploitation may occur when a user clicks a malicious link, reads or forwards a specially crafted HTML email, or accesses a folder containing a malicious animated cursor file. III. Solution Until a fix is available, refer to the Solution section of Vulnerability Note VU#191609 for the latest workarounds. IV. References * Vulnerability Note VU#191609 - <http://www.kb.cert.org/vuls/id/191609> * Microsoft Security Advisory (935423) - <http://www.microsoft.com/technet/security/advisory/935423.mspx> * Unpatched Drive-By Exploit Found On The Web - <http://www.avertlabs.com/research/blog/?p=230> * TROJ_ANICHMOO.AX - Description and Solution - <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-089A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@xxxxxxxx> with "TA07-089A Feedback VU#191609" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History March 30, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRg0/AOxOF3G+ig+rAQKCXwf/S64JCuEQb5bzW8QcbpxAZ0Zv+xtaoId4 AHRvyperlBad/XIRoYogiLgHWvroIpteaOG0ek4RbQEEdLU+u/LMNVDAE0OaezyR 9NEA8ox7kUDd8RQPIrTeQdgcOWDkWGHs0lnBIkxcmtCroBKXqTl8hDwkWSrIH8nn PbMJpbryAoB+P1bb+u7txtL46bAihnjGEPR5JU+lBqTmmrfUb3ePokK5HzsbWHXu UEBfoNxmhajsJejK1A5Oui+oK9VK/K1+XYLCEnvXTWTEiWn8F4Gft3j+fellTRdQ 7BZQ+Vo65HvrtiZHjZCZrkjYgngeWQRv4G9aMGhP/jnb2TlxOAIchw== =IhG4 -----END PGP SIGNATURE-----