ANI Zero Day Takes New Turns to the Uber-Nasty
If you're reading this with Internet Explorer on a Windows machine, don't. The Windows animated cursor zero-day attack that was coming through on IE 6 and 7 running on fully patched Windows XP SP2 is now also hitting Windows 2000, Server 2003 and Vista. As F-Secure advises, better to use some other combination. Proof-of-concept code for the attack was released after business hours on Friday, according to SANS. Blocking .ani files won't help. SANS has picked up reports of the vulnerability being exploited in the wild with .ani files renamed as JPEGs. Microsoft today posted security advisory 935423 about the exploit. Here's the full list of vulnerable systems: Microsoft Windows 2000 Service Pack 4The company still hasn't provided a patch. The vulnerability is a candidate for inclusion in the CVE (Common Vulnerabilities and Exposures) list, having been assigned the label CVE-2007-0038 (previously also CVE-2007-1765). Although there currently is no official patch, a SANS handler has posted instructions on detecting and filtering out .ani file exploitation attempts. eEye provided a temporary patch, although the company recommends updating to Microsoft's patch when it's out. According to Microsoft, using IE 7 in Protection Mode will protect users from the exploit. SANS is reporting that anti-virus detection is picking up on the exploit, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. McAfee's Avert Labs, which discovered the exploit earlier this week, has posted a video of the attack in action against Vista in which the system enters an endless crash-restart loop. McAfee said that the video doesn't reflect how the attack would look in the real world, where it would come through a Web browser. Trend Micro has a diagram of how the malware is working here. Microsoft has updated its MSRC blog to answer questions about the ANI attack that have been rolling in since it started spreading. The answers to those questions, in a nutshell:
|
Comments (4)
Important!
the above fix is NOT a fix!
from:
http://blogs.zdnet.com/security/?p=145
"The remote exploit code even BYPASSES the unofficial patch being offered by eEye Digital Security. The proof-of-concept code is available at Milw0rm.com, a public repository for free exploits. "
Microsoft is supposedly releasing a fix on Tuesday.
Posted by David | April 2, 2007 10:58 AM
I am SO glad that I am MS free and no longer have to wait for Microsoft to get off their dead ass and make needed repairs to their OS.
FOSS may have as many, even more vulnerabilities than MS, but they get fixed right away if they are serious problem. The above article says that MS was informed in December about the problem, it is now April and they STILL have NOT gotten around to making a patch, and people still pay good money for that crap.
No thanks, I'll stick with the better OS.
Posted by Lonnie Mullenix | April 2, 2007 12:43 PM
I am SO glad that I am MS free and no longer have to wait for Microsoft to get off their dead ass and make needed repairs to their OS.
FOSS may have as many, even more vulnerabilities than MS, but they get fixed right away if they are serious problem. The above article says that MS was informed in December about the problem, it is now April and they STILL have NOT gotten around to making a patch, and people still pay good money for that crap.
No thanks, I'll stick with the better OS.
Posted by Lonnie Mullenix | April 2, 2007 2:15 PM
Still yet another reason to dump M$ft products and go open source: Linux, BSD, etc...
Posted by Al | April 3, 2007 6:06 AM