||||
Symantec.com > Business > Security Response > Attack Signatures > HTTP ANI File Hdr Size BO
PRINT THIS PAGE

HTTP ANI File Hdr Size BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts to exploit a buffer overflow vulnerability affecting ANI (animated cursor files) handler on Microsoft Windows operating systems.

Additional Information

A stack-based buffer overflow vulnerability is reported to affect the ANI (animated cursor files) handler on Microsoft Windows operating systems.

The vulnerability exists in the ANI file header handling routines contained in the 'user32.dll' library. The issue exists because the length of an ANI file header that may be user-controlled is employed directly as a length argument passed to a 'memcpy()' operation.

It has been reported that this memory copy operation, depending on the ANI file header length that is supplied, may result in a stack-based buffer overflow condition. Superfluous data copied into a finite stack-based buffer will corrupt the contents of memory that is adjacent to the vulnerable buffer. Reportedly, by triggering this vulnerability it is possible to corrupt a saved instruction pointer and or structured exception handler data. As a result, this vulnerability may be leveraged to influence execution flow of the affected library.

Ultimately the issue may be leveraged to force the execution of attacker-supplied instructions. It has been reported that this vulnerability affects any application that employs the vulnerable Internet Explorer component, for example:
Microsoft Internet Explorer, Word, Excel, PowerPoint, Outlook, Outlook Express and the Windows Shell.
Other applications are also affected.

Affected

  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Microsoft Internet Explorer 6.0, 6.0 SP1, 6.0 SP2, 7.0
  • Microsoft Outlook Express 6.0, 6.0 SP1, 6.0 SP2
  • Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Server Japanese Edition
  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows Mail
  • Microsoft Windows ME
  • Microsoft Windows NT Enterprise Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6
  • Microsoft Windows NT Workstation 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Datacenter Edition Itanium SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Datacenter x64 Edition
  • Microsoft Windows Server 2003 Enterprise Edition SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise Edition Itanium SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise x64 Edition
  • Microsoft Windows Server 2003 Itanium
  • Microsoft Windows Server 2003 Standard Edition SP1, SP1 Beta 1
  • Microsoft Windows Server 2003 Standard x64 Edition
  • Microsoft Windows Server 2003 Web Edition SP1, SP1 Beta 1
  • Microsoft Windows Vista beta, Beta 1
  • Microsoft Windows Vista December CTP
  • Microsoft Windows Vista x64 Edition
  • Microsoft Windows XP
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Embedded SP1
  • Microsoft Windows XP Gold
  • Microsoft Windows XP Home SP1, SP2
  • Microsoft Windows XP Media Center Edition SP1, SP2
  • Microsoft Windows XP Professional SP1, SP2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows XP Tablet PC Edition SP1, SP2
  • Nortel Networks IP softphone 2050
  • Nortel Networks MCS 5100 3.0
  • Nortel Networks MCS 5200 3.0
  • Nortel Networks Media Processing Server
  • Nortel Networks Periphonics
  • Nortel Networks Symposium Agent
  • Nortel Networks Symposium Call Center Server (SCCS)
  • Nortel Networks Symposium Express Call Center (SECC)
  • Nortel Networks Symposium Network Control Center (NCC)
  • Nortel Networks Symposium TAPI Service Provider
  • Nortel Networks Symposium Web Center Portal (SWCP)
  • Nortel Networks Symposium Web Client

Response

Microsoft has released an advisory to address this issue in supported versions of affected applications. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Possible False Positives

There are no known cases of false positives associated with this signature.

Additional References



©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS