Microsoft confirms Windows zero-day, drive-by exploits

Summary:[UPDATE: March 29, 2007 @ 1:15 PM Eastern] Microsoft has confirmed that this is indeed a zero-day flaw that will require a security update. Although Internet Explorer is the primary attack vector, this is a vulnerability in the way Windows handles animated cursor (.

[UPDATE: March 29, 2007 @ 1:15 PM Eastern] Microsoft has confirmed that this is indeed a zero-day flaw that will require a security update. Although Internet Explorer is the primary attack vector, this is a vulnerability in the way Windows handles animated cursor (.ani) files.

From Redmond's security advisory:

The threat is caused by insufficient format validation prior to rendering cursors, animated cursors, and icons.

An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.

A zero-day vulnerability in Microsoft's dominant Internet Explorer browser is being used in drive-by attacks against fully patched Windows XP SP2 systems, according to warnings from anti-virus vendors..

McAfee was the first to raise the alert for the attacks, warning that the exploit simply requires that a user is lured to a maliciously rigged Web page:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

According to McAfee researcher Craig Schmugar, the flaw exists in the way IE handles malformed .ani files. (The .ani file format is used to read and store Windows Animated Cursors) and can be easily placed on an attacker's Web site to trigger the vulnerability).

Multiple sources in the anti-malware community have confirmed McAfee's discovery, which includes the use of arbitrary .exe files and Trojan downloaders.

Trend Micro has posted an alert with a diagram explaining the characteristics of the attack:

 

IE zero day attack characteristic

The flaw is believed to be a variant of a Windows vulnerability patched in January 2005 with the MS05-002 bulletin. Microsoft has confirmed to McAfee that this is a zero-day vulnerability. A formal security advisory will be posted here later today (See update above for info on Microsoft's formal confirmation).

Affected Products:

Windows XP Service Pack 2, Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Windows Server 2003 SP1
Microsoft Windows Internet Explorer 7 for Windows XP SP2
Microsoft Windows Internet Explorer 7 for Windows Server 2003 SP1

Web surfers using Internet Explorer 7 on Windows Vista are protected from currently known Web-based attacks due to Internet Explorer 7.0 protected mode.

Topics: Security, Browser, Microsoft, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.