A private security research outfit says it notified Microsoft about the animated cursor (.ani) code execution vulnerability since December 2006, a full four months ahead of yesterday's discovery of Internet Explorer drive-by attacks.
According to Alexander Sotirov, chief reverse engineer at Determina, his research team discovered and reported the flaw to Microsoft last December. On January 3, 2007, Microsoft reserved CVE-2007-0038 to use in its security bulletin.
So far this year, Microsoft has shipped 16 bulletins to fix a wide swathe of software vulnerabilities, but the animated cursor bug remains unpatched.
A Redmond spokesman confirmed that Determina responsibly disclosed the details of this flaw since last year. "We have been working with Determina since their report in December to investigate the issue and develop a comprehensive update to address the issue," the spokesman said.
So, why has it taken so long to provide protection to Windows users? Microsoft explains:
Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.
Meanwhile, Determina warns that the vulnerability is "trivially exploitable on all versions of Windows, including Vista.
The protected mode of IE7 will lessen the impact of the vulnerability, but shellcode execution is of course still possible. Determina also discovered that under certain circumstances Mozilla Firefox uses the same underlying Windows code for processing ANI files, and can be exploited similarly to Internet Explorer.
This is a fast-moving story with multiple angles. Here are some important things to pay attention to:
** eEye Digital Security, a research firm that found an almost identical bug in 2005 (see MS05-002), is offering a free third-party patch. eEye's interim patch comes with source code. This patch is buyer-beware so use at your own risk.
** The only workaround guidance from Microsoft is to read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector. However, reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.
** For Users of Outlook Express, using plain text is not an effective mitigation and users should be extremely careful when reading mail from untrusted or malicious sources.
** In addition to IE, e-mail is a nasty attack vector because an attack can be launched silently if the target simply opens a specially crafted HTML message. However, users of Outlook 2007 are at not at risk from the HTML or Preview Pane attack vectors when using Word as their default editor or reading e-mail in plain text. Users of Outlook 2002 (with Office XP Service Pack 1 or a later version) and Outlook 2003 can enable the setting to read mail as plain text to successfully mitigate against attacks using the HTML or Preview Pane attack vectors.
** Mark Miller, director of the MSRC (Microsoft Security Response Center) tells me the in-the-wild attacks are still "very limited and targeted" but this could change quickly because exploit code that gives attackers a roadmap to exploit the flaw is publicly available. If the attacks escalate, Microsoft will consider an out-of-band emergency patch.
** This vulnerability does affect Windows Vista. However, Miller believes there are several mitigations that will reduce the risk for Vista users. These include Internet Explorer 7 in Protected Mode and UAC (User Account Control) which gives the user a pop-up warning ahead of an exploit. This is the first in-the-wild exploit that's available for Windows Vista.
** The SANS Internet Storm Center has published a list of hostile domains hosting drive-by exploits.
** WebSense and others have found frightening similarities to the Super Bowl Web site breach earlier this year. This highlights just how widespread this could become if certain high-traffic sites or advertising networks are hijacked and seeded with malicious code.