Microsoft knew of Windows .ANI flaw since December 2006

Microsoft knew of Windows .ANI flaw since December 2006

Summary: A private security research outfit says it notified Microsoft about the animated cursor (.ani) code execution vulnerability since December 2006, a full four months ahead of yesterday's discovery of Internet Explorer drive-by attacks.

A private security research outfit says it notified Microsoft about the animated cursor (.ani) code execution vulnerability since December 2006, a full four months ahead of yesterday's discovery of Internet Explorer drive-by attacks.

According to Alexander Sotirov, chief reverse engineer at Determina, his research team discovered and reported the flaw to Microsoft last December. On January 3, 2007, Microsoft reserved CVE-2007-0038 to use in its security bulletin.

So far this year, Microsoft has shipped 16 bulletins to fix a wide swathe of software vulnerabilities, but the animated cursor bug remains unpatched.

A Redmond spokesman confirmed that Determina responsibly disclosed the details of this flaw since last year. "We have been working with Determina since their report in December to investigate the issue and develop a comprehensive update to address the issue," the spokesman said.

So, why has it taken so long to provide protection to Windows users? Microsoft explains:

Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.

Meanwhile, Determina warns that the vulnerability is "trivially exploitable on all versions of Windows, including Vista.

The protected mode of IE7 will lessen the impact of the vulnerability, but shellcode execution is of course still possible. Determina also discovered that under certain circumstances Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer.

This is a fast-moving story with multiple angles. Here are some important things to pay attention to:

** eEye Digital Security, a research firm that found an almost identical bug in 2005 (see MS05-002), is offering a free third-party patch. eEye's interim patch comes with source code. This patch is buyer-beware so use at your own risk.

** The only workaround guidance from Microsoft is to read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector. However, reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.

** For Users of Outlook Express, using plain text is not an effective mitigation and users should be extremely careful when reading mail from untrusted or malicious sources.

** In addition to IE, e-mail is a nasty attack vector because an attack can be launched silently if the target simply opens a specially crafted HTML message. However, users of Outlook 2007 are at not at risk from the HTML or Preview Pane attack vectors when using Word as their default editor or reading e-mail in plain text. Users of Outlook 2002 (with Office XP Service Pack 1 or a later version) and Outlook 2003 can enable the setting to read mail as plain text to successfully mitigate against attacks using the HTML or Preview Pane attack vectors.

** Mark Miller, director of the MSRC (Microsoft Security Response Center) tells me the in-the-wild attacks are still "very limited and targeted" but this could change quickly because exploit code that gives attackers a roadmap to exploit the flaw is publicly available. If the attacks escalate, Microsoft will consider an out-of-band emergency patch.

** This vulnerability does affect Windows Vista. However, Miller believes there are several mitigations that will reduce the risk for Vista users. These include Internet Explorer 7 in Protected Mode and UAC (User Account Control) which gives the user a pop-up warning ahead of an exploit. This is the first in-the-wild exploit that's available for Windows Vista.

** The SANS Internet Storm Center has published a list of hostile domains hosting drive-by exploits.

** WebSense and others have found frightening similarities to the Super Bowl Web site breach earlier this year. This highlights just how widespread this could become if certain high-traffic sites or advertising networks are hijacked and seeded with malicious code.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Don't be so tough on Microsoft

    The whole idea behind confidential disclosure of bugs like this is to keep the attackers from finding out about them. Issuing a patch before the attack surfaces in the wild just gives the malware creators a target, so it would be irresponsible of Microsoft to patch bugs before they turn up in public.

    Or at least that's the way I read MS policy.
    Yagotta B. Kidding
    • Ahh, that way...

      ...the folks who diligently apply all their patches are just as much at risk as everybody else when the attack surfaces. Nice!
    • That is based on an assumption

      That is assuming that you know with 100% accuracy that no one is exploiting said bug.

      Gone are the times of broad attacks for fame. This is the day of hidden and organized attacks for profit. The exploiters of these holes don't want Microsoft patching bugs and exploits or even finding out about them.

      If one person can find this bug/exploit then you can bet others can. Once one person knows about a bug/exploit it isn't going to be long before others know regardless how hard they try to keep it quiet.

      Not patching your product is a very poor idea.

      Allow me to finish your first sentence.
      [i]The whole idea behind confidential disclosure of bugs like this is to keep the attackers from finding out about them[/i] so that the product maintainer can have time to patch their product.

      Most everyone agrees that you need a time of confidential disclosure.

      The big question is:
      How much time do you give? 15 days? 30 days? 90 days? 1 year?
      • Silly question

        [i]Most everyone agrees that you need a time of confidential disclosure.

        The big question is:
        How much time do you give? 15 days? 30 days? 90 days? 1 year?[/i]

        Until the manufacturer goes public. It's their intellectual property, after all. If you go public before they do, you're counting on their benevolence to keep from being sued into oblivion, not to mention prosecuted for computer crimes.

        And, yes, both the civil and criminal cases have happened.
        Yagotta B. Kidding
        • And?

          [i]Until the manufacturer goes public. It's their intellectual property, after all.[/i]

          And, it is the end users that suffer monetary and emotional damage from the negligence of the manufacturer sitting on an exploit. While the manufacturer gets off without any liability thanks to the EULA.

          Sitting on an exploit without patching it is negligence pure and simple.

          That question is very valid.
          • Which doesn't change the fact

            [i]And, it is the end users that suffer monetary and emotional damage from the negligence of the manufacturer sitting on an exploit. While the manufacturer gets off without any liability thanks to the EULA.[/i]

            Computer crimes (which apparently include publishing security flaws) are Federal felonies carrying penalties that have recently been extended. IIRC you can now get life for them.

            Your decision.
            Yagotta B. Kidding
          • Which doesn't absolve

            a manufacturer of their responsibility.

            Just because it is illegal to exploit flaws in software does not give a free pass to a manufacturer to sit on exploits and bugs indefinitely.

            If a driver is speeding down a street and another driver pulls out if front and they crash who's fault is it?

            The correct answer is the driver who pulled out. The driver who pulled out will be responsible for paying all damages to the speeding drivers vehicle and medical bills. Even though the speeding driver was clearly breaking the law and likely ruined the other drivers perception of distance by driving to fast.

            Just because a 3rd party is doing something illegal doesn't absolve the responsibility of the 1st party.

            By sitting on a bug or exploit indefinitely without patching it is negligence. It is that simple.
          • Full Discuolsure, this is why.

            Your commentary and this flawed logic are precisely why Full Disclosure is the right way to handle software security issues.
            Mr L
        • MS has a million and one reasons why they can't turn out patches in a

          timely manner like the open source community. From the excuses they are giving, either the code is one big hair ball that is impossible to patch without causing other problems (held together with bailing wire and duct tape), OR, the people working on the patches are the village idiots. Which is it?
          • Look: DB's "quote of the week"

            [i]held together with bailing wire and duct tape[/i]

            Granted it takes a while for him to come up with something like that, and so that means he must use it repeatedly, but the way he gets blown out of the water with his "reasoning" leads me to believe he post his drivel just to use his "catch phrase".

            Nice try, DB
            John Zern
          • Duct tape and bailing describes it quite well. Why else would it take them

            four months, and still no fix. So, either the guys doing the fixes are the village idiots, or, they don't care about customers, or, the whole thing is a big hair ball held together with duct tape and bailing wire.

            And, come on, don't be shy, lets hear you explain why four months to fix a critical flaw is justified. When is the last time it took four months to fix a critical flaw in the Linux kernel or Firefox?
          • To test it to make sure it doesn't break hundreds of applications.

            That is the main reason why MS takes so long at getting a patch out. The other OS alternatives that do not make up more than 8% combined can grind out a patch in a few days. They only have to test it on a few applications and they are not too concerned about breaking functionality. Every time Firefox gets an update there will be a few plug-ins or extensions broken. MS doesn't have this luxury of breaking applications that vendors paid millions for, unless there is no option. It is called regression testing. I hope your walnut sized cerebellum can absorb and digest this.
          • To Test

            There are far more business applications being used in a Windows environment than there are in ANY other operating system. With this wide array of applications there is a high probability that without proper testing of a patch, you could end up making a bad situation worse by rushing a patch out before it has been tested in as many scenarios possible, thereby breaking necessary functionality in a large number of business workstations and servers.

            Even after a patch has been released by MS, it is still a day or two (depending on the severity) before it gets pushed out to all our users' computers. We always test new patches to make sure they work with all of our critical applications. This is a common practice for many companies. If the vulnerability, has not been exploited yet, Id much rather see the manufacturer take the time to test the patch out thoroughly.
            Flying Pig
          • Linux is truely the Operating System

            held together with bailing wire and duct tape, as I have used Linux and I would be one who understands that.

            You talk of tweaking and modifications when it comes to Linux, and that would imply that it is not where Windows is in terms of the out of box experience

            I have, many a time seen these [i]patches in a timely manner (from) the open source community[/i] take down a Linux system in no time.

            Even Apple, as someone else had pointed out, disabled a major application with one of their patches to OSX as they may have rushed it before fully testing it.

            So prior to venturing over to post your "insight" into a subject matter you know little about, stop yourself and save yourself from the embaresment that comes along with the post
          • You should save yourself the "embaresment" and learn how to spell.

            That is e-m-b-a-r-r-a-s-s-m-e-n-t. And, you should be embarrassed about your garbage post. People use Linux, Solars, BSD, when security matters. And, you are no Linux user - you are an idot. Real Linux users would not embarrass themselves as you did.
          • Ah, thank you for being a good little spell checker

            The issue here (as you are trying to change the topic) is not whether a security issue has arisen, as all OS have had them, but on how great the Open Source community responds to an issue.
            All I pointed out was that I have seen what a poor, rushed, Linux patch can do to a system, and as another user has most aptly pointed out with a link no less, to what can happen when an OSX patch is rushed out.

            Yet it looks as though I have hit the nerve of truth in you as go into [i]insult mode[/i] when placed on the defensive

            So once someone dares critique your post, your thought process precludes you from entertaining the possibility that an error or two has more to do with a mistype then spelling ability, so yes, I will admit to embarrassment that I did not do a quick once over before posting.

            Should you not do the same to your content, (spelling aside)?
          • As I said, there are very few that use Windows when the highest level of

            security is needed. For that they use Solaris, BSD, or Linux. And tell us about the patches that broke things. Google, ETrade, Amazon, EBay, and others have been using Linux for mission critical tasks for some time now and do not have any of those problems.
          • Pot, Kettle, Black

            "And, you are no Linux user - you are an idot."

            Is that some kind of new Apple product--the iDot? Or are you simply an idIot?

            Considering your record of misspellings, you are the one who should be brushing up on spelling and grammar.

            Oh. Brush up on facts, while you're at it.
            M.R. Kennedy
          • Oh?

            [I have, many a time seen these patches in a timely manner (from) the open source community take down a Linux system in no time.]

            I'd be curious as to which updates those were.
            I've been using Linux for years and have never seen this occur.
          • Say what!?!?!

            I been using Unix, and latter linux, for years and I have NEVER found anything to lead me to believe the crap which you just posted!

            Please let us know which version linux you have used. I want to verify your idiotic claims.
            linux for me