TELECOM Digest OnLine - Sorted: Urgent! Please read: Windows ANI Header Stack Buffer Overflow


Urgent! Please read: Windows ANI Header Stack Buffer Overflow


Monty Solomon (monty@roscom.com)
Fri, 30 Mar 2007 23:14:37 -0400

Vulnerability Note VU#191609
http://www.kb.cert.org/vuls/id/191609

Microsoft Windows animated cursor ANI header stack buffer overflow

Overview

Microsoft Windows contains a stack buffer overflow in the handling of
animated cursor files. This vulnerability may allow a remote attacker
to execute arbitrary code or cause a denial-of-service condition.

I. Description

Animated cursor files (.ani) contain animated graphics for icons and
cursors. A stack buffer overflow vulnerability exists in the way that
Microsoft Windows processes malformed animated cursor files.
Microsoft Windows fails to properly validate the size specified in the
ANI header. Note that Windows Explorer will process ANI files with
several different file extensions, such as .ani, .cur, or .ico.

Note that animated cursor files are parsed when the containing folder
is opened or it is used as a cursor. In addition, Internet Explorer
can process ANI files in HTML documents, so web pages and HTML email
messages can also trigger this vulnerability.

More information on this vulnerability is available in Microsoft
Security Advisory (935423).
http://www.microsoft.com/technet/security/advisory/935423.mspx

This vulnerability is being actively exploited.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary
code or cause a denial-of-service condition.

III. Solution

We are unaware of a practical solution to this vulnerability. Until a
fix is available, the following workarounds may reduce the chances of
exploitation:

Configure Outlook to display messages in plain text.

An attacker may be able to exploit this vulnerability by convincing a
user to display a specially crafted HTML email. This can happen
automatically if the preview pane is enabled in your mail client.
Configuring Outlook to display email in plain text can help prevent
exploitation of this vulnerability through email. Consider the
security of fellow Internet users and send email in plain text format
when possible.

Note: The Outlook Express option for displaying messages in plain
text will not prevent exploitation of this vulnerability. This
workaround is only viable for systems with Microsoft Outlook.

Disable preview pane.

By disabling the preview pane in your mail client, incoming email
messages will not be automatically rendered. This can help prevent
exploitation of this vulnerability.

Configure Windows Explorer to use Windows Classic Folders

When Windows Explorer is configured to use the "Show common tasks in
folders" option, HTML within a file may be processed when that file
is selected. If the "Show common tasks in folders" is enabled,
selecting a specially crafted HTML document in Windows Explorer may
trigger this vulnerability. Note that the "Show common tasks in
folders" is enabled by default. To mitigate this attack vector,
enable the "Use Windows classic folders" option. To enable this
option in Windows Explorer:

* Open Windows Explorer
* Select Folder Options from the Tools menu
* Select the "Use Windows classic folders" option in the Tasks section

Do not follow unsolicited links.

In order to convince users to visit their sites, attackers often use
URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do not
click on unsolicited links received in email, instant messages, web
forums, or internet relay chat (IRC) channels. Type URLs directly into
the browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.

Systems Affected

Vendor Status Date Updated
Microsoft Corporation Vulnerable 29-Mar-2007

References

http://www.microsoft.com/technet/security/advisory/935423.mspx
http://vil.nai.com/vil/content/v_141860.htm
http://www.avertlabs.com/research/blog/?p=230
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX&VSect=T
http://secunia.com/advisories/24659/
http://research.eeye.com/html/alerts/zeroday/20070328.html

Credit

This vulnerability was reported by McAfee.

This document was written by Jeff Gennari and Will Dormann.

Other Information

Date Public 03/29/2007
Date First Published 03/29/2007 02:23:30 PM
Date Last Updated 03/30/2007
CERT Advisory
CVE Name CVE-2007-0038
Metric 66.60
Document Revision 27

Produced 2007 by US-CERT, a government organization

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Monty Solomon: "TJX Breach Shows that Encryption Can be Foiled"
Go to Previous message: Bob Vaughan: "Re: History of Wireless Networking"
TELECOM Digest: Home Page