Is anything safe about this Operating System?

Message boards : The Lounge : Is anything safe about this Operating System?
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14592
Netherlands
Message 9325 - Posted: 2 Apr 2007, 21:50:02 UTC
Last modified: 2 Apr 2007, 21:50:50 UTC

From BBC News:
Users warned on Windows cursors

The software giant is investigating reports that the way Windows handles alternatives to the traditional arrow cursor can leave PCs open to attack.

By booby-trapping a website or e-mail attachment with code that exploits the flaw, malicious hackers could hijack a Windows PC.

Microsoft warned users to be wary of attachments and urged them to update security software to combat the threat.

Open Windows

Malicious hackers are already known to be exploiting the flaw according to reports from the Sans Internet Storm Center.

In an alert, Sans said several security firms had seen evidence of websites being set up, hosting code that can exploit the bug. Information about it is being spread on bulletin boards malicious hackers are known to frequent.

PC users could fall victim by opening a booby-trapped attachment on an e-mail or by visiting a website that is hosting the code.

"Exploitation happens completely silently," said security firm McAfee which was one of the first to find the bug. Once installed, the exploit code could download and run any other file, warned McAfee.

Microsoft urged people to update their security software so they could get hold of signature files that spot and stop the exploit code.

Simply blocking the .ani files that denote animated cursors will not work as many attackers are renaming booby-trapped files to disguise their dangerous nature.

Microsoft said that many different versions of Windows were vulnerable to the attack. The list of potential victims includes Windows Vista, XP, 2000 and Server 2003.

The software firm said those using Outlook Express would be vulnerable as would those who forward or reply to booby-trapped e-mail messages with Windows Mail on Vista.

However, it said that users of Outlook 2007 would be protected.

Security firms said users can stay safe from this vulnerability by using an alternative browser, such as Opera or Firefox 2.0, with Windows. Also protected are those using Windows Vista with Internet Explorer 7.0.

ID: 9325 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14592
Netherlands
Message 9326 - Posted: 2 Apr 2007, 21:55:12 UTC

Also from BBC News:
Quick fix for Windows cursor flaw

Microsoft is moving to close a security loophole in Windows that lets attackers hijack a PC via animated cursors.

Malicious hackers are already known to be exploiting the flaw via booby-trapped and compromised websites.

Microsoft usually issues security patches once a month to help users keep their PC safe.

However, the seriousness of the bug has prompted the software company to act early and stifle attempts to exploit the flaw.

Cursor cure

The problem started to receive public attention in late March when security firms realised that the way Windows handles animated cursors could be used as a route to take over a PC.

Microsoft said it had decided to issue a patch early because attacks using the vulnerability had increased in intensity and code to exploit the flaw was known to be circulating widely.

McAfee warned that attackers could booby-trap websites with the exploit code and "silently" compromise vulnerable PCs.

On its Security Response Center blog Microsoft said it had been notified about the flaw in December 2006 and had been working on a fix since then.

The fix was scheduled to be released on 10 April - the next date for Microsoft's regular monthly security update.

"Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10," noted the blog.

PC users will be able to get the fix via Windows automatic update or visit Microsoft itself to download the patch manually.

Users of Windows Vista, XP, 2000 and Server 2003 are potentially vulnerable to the cursor vulnerability.

ID: 9326 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1174
Argentina
Message 9330 - Posted: 2 Apr 2007, 23:32:33 UTC

Oh god, and I thought infection via Windows Metafile images was already bad enough... Websites can "easily" set custom cursors, to be used only within that page. If there is a security problem on the code that loads or displays the cursor, Bad Things Happen.

I think it would be great if some important website included an "exploit" for this vulnerability, that would download a patch for it. It has been done before: security experts sending the patches using the same security hole that the trojan uses, "infecting" computers with the *fix*, closing the hole.
ID: 9330 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1174
Argentina
Message 9332 - Posted: 3 Apr 2007, 0:51:01 UTC

Yep, it's *that* bad. I just created an .ani file using unmodified proof-of-concept code. When loaded, it closes whatever program you used (probably explorer.exe). Scary security hole...
ID: 9332 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1174
Argentina
Message 9333 - Posted: 3 Apr 2007, 2:02:35 UTC - in response to Message 9332.  

Yep, it's *that* bad. I just created an .ani file using unmodified proof-of-concept code. When loaded, it closes whatever program you used (probably explorer.exe). Scary security hole...

Failed at making it do anything else than closing explorer. DEP is luckily protecting me just as it should.
ID: 9333 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1174
Argentina
Message 9342 - Posted: 4 Apr 2007, 16:20:37 UTC

A Windows Update just installed on my computer. It has fixes for the animated cursor vulnerability, and other 5 less critical vulnerabilities in GDI. More info in Microsoft Security Bulletin MS07-017. Make sure you get it installed!
ID: 9342 · Report as offensive
SekeRob

Send message
Joined: 25 Aug 06
Posts: 1596
Message 9441 - Posted: 8 Apr 2007, 21:10:18 UTC - in response to Message 9342.  
Last modified: 8 Apr 2007, 21:44:12 UTC

Apparently in 2005 MS 'fixed' this, but did not look hard enough to see if they covered all bases. Suppose many saw that the latest set of fixes rushed out cause other problems with e.g. Realtek.

Coelum Non Animum Mutant, Qui Trans Mare Currunt
ID: 9441 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14592
Netherlands
Message 9442 - Posted: 8 Apr 2007, 22:20:03 UTC

MS has got a hotfix to patch the things the animated cursor patch breaks: http://support.microsoft.com/kb/935448


ID: 9442 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1174
Argentina
Message 9443 - Posted: 8 Apr 2007, 22:54:09 UTC - in response to Message 9442.  
Last modified: 8 Apr 2007, 22:56:59 UTC

MS has got a hotfix to patch the things the animated cursor patch breaks: http://support.microsoft.com/kb/935448


oh my ****ing god... The animated cursor patch broke things? From what I read, the fix was quite simple. How did they manage to break it? "Is anything safe about this Operating System?" :D

I can't understand how the animated cursor bug needed a change in Hhctrl.ocx to get fixed, although the "animated cursor patch" actually included fixes for other GDI-related problems as well, so it could have been one of those.

It was interesting to read what a mess the code managing on Microsoft is, on The Windows Shutdown crapfest (already posted by another user on this forum, I think it was on the BOINC & Vista thread). That link explains so much...
ID: 9443 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14592
Netherlands
Message 9444 - Posted: 8 Apr 2007, 23:03:37 UTC

Microsoft had to rush the patch. It was originally scheduled for a 14th of April release but was released on the 4th of April, because World of Warcraft users were being targeted.

Now I can figure there's a lot of WoW sites out there. But do they all need IE to run?
ID: 9444 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1174
Argentina
Message 9445 - Posted: 8 Apr 2007, 23:19:59 UTC

Also, I don't understand why they waited until it was too late. They knew it since December! The fact that they rushed to get it done after it was being exploited means they didn't really take from December till now to get it finished: they could have rushed a bit before and release it before anybody knew the bug even existed.
ID: 9445 · Report as offensive
MikeMarsUK

Send message
Joined: 16 Apr 06
Posts: 386
United Kingdom
Message 9450 - Posted: 9 Apr 2007, 8:21:20 UTC - in response to Message 9443.  


oh my ****ing god... The animated cursor patch broke things? From what I read, the fix was quite simple. How did they manage to break it? "Is anything safe about this Operating System?" :D
...


IMHO the trouble was they fixed the wrong problem. There is no good reason for IE to be loading animated cursors without asking from any old web site it comes across (featuritis). All these fancy features should be off by default in any case (starting with ActiveX).

They should have blocked IE from loading .ANIs *first* and then taken their time sorting out the underlying code.


ID: 9450 · Report as offensive

Message boards : The Lounge : Is anything safe about this Operating System?

Copyright © 2021 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.