Microsoft confirms Windows zero-day, drive-by exploits

Microsoft confirms Windows zero-day, drive-by exploits

Summary: [UPDATE: March 29, 2007 @ 1:15 PM Eastern] Microsoft has confirmed that this is indeed a zero-day flaw that will require a security update. Although Internet Explorer is the primary attack vector, this is a vulnerability in the way Windows handles animated cursor (.

SHARE:

[UPDATE: March 29, 2007 @ 1:15 PM Eastern] Microsoft has confirmed that this is indeed a zero-day flaw that will require a security update. Although Internet Explorer is the primary attack vector, this is a vulnerability in the way Windows handles animated cursor (.ani) files.

From Redmond's security advisory:

The threat is caused by insufficient format validation prior to rendering cursors, animated cursors, and icons.

An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.

A zero-day vulnerability in Microsoft's dominant Internet Explorer browser is being used in drive-by attacks against fully patched Windows XP SP2 systems, according to warnings from anti-virus vendors..

McAfee was the first to raise the alert for the attacks, warning that the exploit simply requires that a user is lured to a maliciously rigged Web page:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

According to McAfee researcher Craig Schmugar, the flaw exists in the way IE handles malformed .ani files. (The .ani file format is used to read and store Windows Animated Cursors) and can be easily placed on an attacker's Web site to trigger the vulnerability).

Multiple sources in the anti-malware community have confirmed McAfee's discovery, which includes the use of arbitrary .exe files and Trojan downloaders.

Trend Micro has posted an alert with a diagram explaining the characteristics of the attack:

 IE zero day attack characteristic

The flaw is believed to be a variant of a Windows vulnerability patched in January 2005 with the MS05-002 bulletin. Microsoft has confirmed to McAfee that this is a zero-day vulnerability. A formal security advisory will be posted here later today (See update above for info on Microsoft's formal confirmation).

Affected Products:

Windows XP Service Pack 2, Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Windows Server 2003 SP1
Microsoft Windows Internet Explorer 7 for Windows XP SP2
Microsoft Windows Internet Explorer 7 for Windows Server 2003 SP1

Web surfers using Internet Explorer 7 on Windows Vista are protected from currently known Web-based attacks due to Internet Explorer 7.0 protected mode.

Topics: Security, Browser, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

64 comments
Log in or register to join the discussion
  • Ouch...

    Use Firefox or Opera.
    Linux User 147560
    • Re: Use Firefox or Opera

      Firefox 2.x is a security nightmare of its own. Opera (my browser of choice) is notoriously slow on sites that are optimized for IE.

      I use IE7 for specific things (Windows and MS Update) and at websites I trust. Opera gets my nod for everything else.
      M.R. Kennedy
      • Please read the article!

        First of all, your claim that FireFox is a security nightmare is totally bogus.

        More importantly, the exploit is about .ani files, you know...animated cursors????

        Please read the article before posting. It doesn't matter what browser you are using, this is a Windows OS exploit!
        linux for me
        • hummmm ...

          ... this is one of the reasons which makes me using Sandboxie (www.sandboxie.com)
          trial.manager@...
        • Any browser?

          linux for me wrote:

          [i]It doesn't matter what browser you are using, this is a Windows OS exploit![/i]

          Then why does the article state this:

          [i]Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0.[/i
          JDThompson
      • FF 2.x a Seciurity nightmare?

        Why? I noticed that it suddenly became so slow that I reintalled 1.5.x which is really fast.
        trial.manager@...
    • Ouch 7.0

      Use IE 7 no problems
      Mectron
      • Did you bother to read the article?

        >"IE 7 no problems"


        From the article: "Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack"
        jinko
        • It's a fair bet

          that a MS zealot is running Vista, which according to the article is fine in protected mode.
          Michael Kelly
          • Rhythm method.

            Security is like sex, once you're penetrated you're... well.. let's just say that any "jail" that still allows the compromised application to make network connections and intercept the user's passwords and financial info as they're entred into said compromised application... is more like the rhythm method than the pill.
            Resuna
          • Rhythm method.

            Ahh but with Microsoft as in life, there is always a nice nasty Virus right around the corner. Some Viruses KILL... Use some Protection... Or find something safer like Opra..
            aussieblnd@...
  • Opera 9

    No more drive-bys.

    http://www.opera.com
    Scrat
    • Why Opera?

      ... can't figure why Opera is safer than FF or Seamonkey. For sure, no one can bring any test resultus that support it.
      trial.manager@...
      • Opera Always Fully Patched

        Besides the features differences, IE 7 still does not have a number of time saving features that Opera has, Opera offers better security:

        Secunia monitors vulnerabilities in more than 9,500 products

        Opera - 100% Patched - (Every time I have checked over the years they have been 100% Patched). I am not making any claims about this particular vulnerability as it may be browser independent.

        I have been checking browser vulnerabilities for years at secunia.com. Every single time I have checked (probably 6-8 times per year for each browser for a few years) Opera has been fully patched. I have never found IE or FireFox to be fully patched though on average I have found FireFox to be more fully patched than IE.

        Links - look at the first graph for each link to see % patched vs unpatched:

        Opera 9: http://secunia.com/product/10615/?task=statistics

        Opera 8: http://secunia.com/product/4932/?task=statistics

        IE - 78% UnPatched for current version - (I have never seen IE 100% patched when I periodically have checked over the years)

        IE 7: http://secunia.com/product/12366/?task=statistics

        IE 6: http://secunia.com/product/11/?task=statistics

        FireFox 2.0: http://secunia.com/product/12434/?task=statistics

        FireFox 1.X: http://secunia.com/product/4227/?task=statistics
        stds
  • Tell me AGAIN why we have to wait a whole month for updates (nt)

    nt = no text
    CobraA1
    • Because MS says so

      because they can. You are griping right now. Are you going to stop using Windows? I
      didn't think so, so Microsoft could care less about your complaints; you'll still buy
      their products.
      frgough
      • lol

        "You are griping right now."

        Geez, how long did it take to figure that out, Einstein?

        "Are you going to stop using Windows?"

        Unfortunately, I'm too dependent on it. I've tried dual booting Linux in the past, but I still have some products that don't work in Linux, and won't work in WINE.

        "so Microsoft could care less about your complaints; you'll still buy their products."

        The only Microsoft products I've ever bought is their OSes. And if WINE can resolve their incompatibility issues, I could easily be convinced to stop using Microsoft products completely. Don't fool yourself into thinking that statement will remain true forever.

        And you still haven't answered my question.
        CobraA1
      • Because CUSTOMERS ASKED for it.

        Microsoft's montly patch cycle is the result of customer feedback. Get over it already. Stop faulting Microsoft for everything under the sun. I recall people faulting Microsoft for releasing patches daily. They're damned if the do and damned if they don't with you guys. You don't like Microsoft and/or their products? Fine. Use something else and shut up already!
        ye
        • I certainly don't remember anybody asking for it

          This is about security. Just because they want it doesn't mean it's good for them. I'm sure a lot of people didn't like UAC, but that didn't prevent them from implementing it.

          "Stop faulting Microsoft for everything under the sun."

          I don't.

          "I recall people faulting Microsoft for releasing patches daily."

          Whoop de do. It's good for them.

          "Use something else and shut up already!"

          No, I will not.
          CobraA1
    • Microsoft can't afford it, that's why.

      /sarcasm
      HypnoToad72