Microsoft confirms Windows zero-day, drive-by exploits

[UPDATE: March 29, 2007 @ 1:15 PM Eastern] Microsoft has confirmed that this is indeed a zero-day flaw that will require a security update. Although Internet Explorer is the primary attack vector, this is a vulnerability in the way Windows handles animated cursor (.ani) files.

From Redmond's security advisory:

The threat is caused by insufficient format validation prior to rendering cursors, animated cursors, and icons.

An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.

A zero-day vulnerability in Microsoft's dominant Internet Explorer browser is being used in drive-by attacks against fully patched Windows XP SP2 systems, according to warnings from anti-virus vendors..

McAfee was the first to raise the alert for the attacks, warning that the exploit simply requires that a user is lured to a maliciously rigged Web page:

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.

According to McAfee researcher Craig Schmugar, the flaw exists in the way IE handles malformed .ani files. (The .ani file format is used to read and store Windows Animated Cursors) and can be easily placed on an attacker's Web site to trigger the vulnerability).

Multiple sources in the anti-malware community have confirmed McAfee's discovery, which includes the use of arbitrary .exe files and Trojan downloaders.

Trend Micro has posted an alert with a diagram explaining the characteristics of the attack:

The flaw is believed to be a variant of a Windows vulnerability patched in January 2005 with the MS05-002 bulletin. Microsoft has confirmed to McAfee that this is a zero-day vulnerability. A formal security advisory will be posted here later today (See update above for info on Microsoft's formal confirmation).

Affected Products:

Windows XP Service Pack 2, Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Windows Server 2003 SP1
Microsoft Windows Internet Explorer 7 for Windows XP SP2
Microsoft Windows Internet Explorer 7 for Windows Server 2003 SP1

Web surfers using Internet Explorer 7 on Windows Vista are protected from currently known Web-based attacks due to Internet Explorer 7.0 protected mode.