Via malicious .ANI files

Apr 4, 2007 15:54 GMT  ·  By

The .ANI file format vulnerability impacting Windows Animated Cursor Handling has gotten a lot of play lately. One of the reasons for this is the fact that the Windows Animated Cursor Handling flaw is the first pure blood, pure bred Windows Vista critical vulnerability. As I have mentioned, before there are two vectors of attack for exploits targeting the .ANI vulnerability: email clients and browsers.

As far as browsers are concerned, Microsoft has hinted at what it calls mitigating factors for Windows Vista. Namely Internet Explorer 7 running in protect mode. McAfee has managed to dispel Microsoft's claims that Internet Explorer 7 protected mode delivers an additional barrier against web-based attacks.

Craig Schmugar, virus research manager at McAfee's Anti-Virus Emergency Response Team Labs has demonstrated proof of concept in action on a Windows Vista machine with DEP enabled and IE7 running in protected mode.

IE7 in Windows Vista has the option to run with extremely low privileges. While this provides a mitigation, it does not stop an .ANI successful exploit, and this is also the reason why the Windows Animated Cursor Handling vulnerability in Vista was not downgraded from the Critical severity rating.

Alexander Sotirov Chief Reverse Engineer at Determina has compiled a video demonstration revealing that both Firefox 2.0 and Internet Explorer 7 can be used as attack vectors in exploiting the .ANI vulnerability. Alexander Sotirov is also the Determina researcher that initially identified and reported the .ANI vulnerability to Microsoft in 2007.

There is only one solution to protect yourselves against Windows Animated Cursor Handling flaw and that is applying the Microsoft security update. Using either IE7 with protected mode or Firefox 2.0 in Vista, you will still be vulnerable. Just watch this video demonstration authored by Sotirov.