Microsoft releases emergency patch for seven Windows vulnerabilities
Microsoft has issued an "emergency" patch to fix a Critical remote code execution vulnerability in Windows cursor handling code plus six other vulnerabilities. The bugs affect every version of Windows since Windows 2000, including the latest version of Microsoft Vista. Mac, Linux, and Solaris users are immune.
The update contains support for several problems because the modifications required are located in related files. Thus one update takes the place of several updates that are almost the same.
The worst problem is the so-called "ANI exploit", an animated cursor vulnerability first reported by Alexander Sotirov of Determina back in December 2006. It wasn't considered a high priority until exploits started appearing in the wild late last week. Jeff Gennari and Will Dormann wrote a nice description of the problem for CERT:
A stack buffer overflow vulnerability exists in the way that Microsoft Windows processes malformed animated cursor files. Microsoft Windows fails to properly validate the size specified in the ANI header. Note that Windows Explorer will process ANI files with several different file extensions, such as .ani, .cur, or .ico.
Early reports claiming that Firefox or IE7 were immune were incorrect. The bug is particularly insidious because of its location way down deep in the Windows "user32.dll" system file. From there it can render almost all programs running on Windows vulnerable, including Internet Explorer, Outlook, Firefox, Windows Explorer, and more. Just avoiding certain types of files won't help:
Please be aware that filtering based just on the ANI, CUR, or ICO file extensions will not block all known attack vectors for this vulnerability. Filter mechanisms should be looking for any file that Microsoft Windows recognizes as an ANI file by virtue of its file contents. ANI files begin with the ASCII sequence: RIFF (hex 52 49 46 46). Malformed ANI files that can exploit this vulnerability contain the string anih followed by the dword 0x24, and then a second instance of anih followed by a dword value other than 0x24.
All affected Windows users (including Vista and XP users) are urged to immediately install the patch before more harm can be done. If you're interested in the animated cursor format itself see this site from GDG Software.
Buffer overruns are endemic to non-managed C, C++, and Assembler code that make up the bulk of today's system software. Various attempts to mitigate the problem such as the NX bit (also known as XD or DEP),and tools to review existing code for possible problems have been tried. However, the only fool-proof way for programmers to avoid them is to write code in a different language that prevents these kind of memory and pointer problems from occurring in the first place.
Sources:
- Microsoft Security Bulletin MS07-017
- MS07-017: Vulnerability in GDI could allow remote code execution
- Microsoft Windows animated cursor ANI header stack buffer overflow (CERT)
- Any ANI file could infect you! (Arbor Networks)
- Vulnerability in Windows Animated Cursor Handling (Determina)
- Microsoft Security Response Center blog