14 DAY TRIAL // All it took was one critical vulnerability and Windows Vista became a true operating system superstar. I am of course speaking about the critical vulnerability impacting Windows Animated Cursor Handling and affecting Windows 2000, Windows XP, Windows Server 2003 and Windows Vista. The Microsoft Security Response Center acknowledged the fact that Microsoft was aware of the .ANI file vulnerability since December 20, 2006, courtesy of Determina but that no measures were set up to protect Windows customers.
After the Windows Animated Cursor Handling zero-day vulnerability became public, Microsoft revealed that it was monitoring the situation and that it was aware of limited and targeted attacks attempting to exploit the flaw. Due to a combination between public disclosure of PoC, increasing attacks and customer feedback, the Redmond Company will issue an out of band security update on April 3 2007.
In the meanwhile, Christopher Budd, a security program manager with the MSRC, informed that "over this weekend attacks against this vulnerability have increased somewhat." While "somewhat" is a term that tells exactly nothing, Symantec, Sophos and McAfee are painting a more realistic view of the situation.
Symantec Security Response has warned of the detection of W32.Fubalca, a new worm designed to infect executables and HTML-type files, and to insert links that point to malformed Animated Cursor files. According to the Cupertino based security company, W32.Fubalca is associated with the Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability. The actual malicious Animated Cursor .ANI files are identified as Trojan.Anicmoo.
Sophos was one of the first security developers to react to the Windows Animated Cursor Handling vulnerability and to add protection to the Troj/Animoo-U Trojan horse identified as exploiting the .ANI flaw. Furthermore, Sophos revealed that its Behavioral Genotype Protection technology proactively detects the Mal/Behav-010 worm.
"Normally Microsoft releases security patches on the second Tuesday of the month. Clearly the danger that the ANI vulnerability represents has encouraged them to release a patch as quickly as possible, which is good news for vulnerable Internet users," said Graham Cluley, senior technology consultant for Sophos. "The fact that a worm has been seen in-the-wild exploiting the Microsoft security bug has raised the stakes over the weekend. Proactive protection has ensured that Sophos customers are not at risk from this viral attack."
Additionally, McAfee has warned of the spreading of Exploit-ANIfile.c Trojan horse, also associated with the .ANI file format handling vulnerability. McAfee also detected Downloader-BBH downloader as involved in the active exploitation of the Windows Animated Cursor Handling flaw.