14 DAY TRIAL // The wolfs are prowling Windows Vista, starving for a bite. And Windows Vista is nothing more than a fresh piece of prey diving into the onslaught. The wolves? Symantec, McAfee and Sophos. Yesterday the Microsoft Security Response Center posted an advisory related to a critical zero-day vulnerability affecting Windows Animated cursor handling. A few hours later, Symantec, McAfee and Sophos seized the opportunity and jumped at Microsoft's jugular.
"The vulnerability is caused by insufficient format validation, prior to rendering cursors, animated cursors, and icons. If successfully exploited, it will allow an attacker to perform remote code execution on the victim machine. In order to carry out an attack, the attacker would need to convince potential victims to either visit a Web site that contains a Web page that is used to exploit the vulnerability, or view a specially crafted email message or email attachment. The attacker could enable an affected system to execute code," explained Andy Cianciotto, Symantec Security Response Engineer.
"Animated cursors are typically used by website developers to enrich users' online experiences, but a twirling hourglass is hardly worth the risk of a malicious attack. Sadly users don't get a choice as to whether a website attempts to animate their cursor or not, and hackers could use the vulnerability to run malware," said Graham Cluley, senior technology consultant for Sophos. "Microsoft will be scrabbling to fix this vulnerability at the earliest possible opportunity, as hackers are already exploiting the security loophole in their attempt to infect innocent computer users."
"Last night I had a chance to test Vista's vulnerability. In the process of setting up the environment, I dragged and dropped a malicious ANI file to the desktop. This causes Vista to enter an endless crash-restart loop. I captured a video of this occurring," stated Craig Schmugar, virus research manager with McAfee.
Websense Security Labs are keeping a close eye on the issue and have even discovered a connection with the Dolphin Stadium attack during the Super Bowl: "Websense Security Labs is currently monitoring an unpatched (0-day) vulnerability in Microsoft Windows. No user interaction is necessary for the exploit to be successful. A computer may become infected by simply visiting a malicious website. At this time, we are aware of 9 different sites hosting the new exploit. We will continue to monitor for any additional sites, as we expect the exploit's usage to increase."
The Windows .ani file vulnerability would not have got so much play if it hadn't been for Windows Vista. But as long as Vista is at the center stage of the operating system's market, and as long as security software for Windows Vista needs to be sold...
McAfee: "McAfee Intrushield is proactively protecting customers against all known exploits of this buffer overflow vulnerability."
Sophos: "Sophos researchers have analyzed malware which exploits the Microsoft vulnerability, issuing protection against the Troj/Animoo-U Trojan horse at 23:46 GMT on 29 March 2007."
Symantec: "Users of Symantec products are already protected from this threat."