Cursors and Icons and Exploits—Oh My!

Microsoft has released an out-of-band advisory today for a new exploit targeting a vulnerability in the way that Microsoft Windows handles animated cursor (.ani) files.

The vulnerability is caused by insufficient format validation, priorto rendering cursors, animated cursors, and icons. If successfullyexploited, it will allow an attacker to perform remote code executionon the victim machine. In order to carry out an attack, the attackerwould need to convince potential victims to either visit a Web sitethat contains a Web page that is used to exploit the vulnerability, orview a specially crafted email message or email attachment. Theattacker could enable an affected system to execute code once a userhas viewed a malicious Web page, previewed or read a specially craftedmessage, or opened a specially crafted email attachment.

While it is similar to the vulnerability described in Microsoft Security Bulletin MS05-002,this is an entirely new vulnerability. Currently, there is no patchavailable from Microsoft; however, according to Microsoft's advisorythe following workaround will help to block potential attack vectors.From their advisory:

"Read e-mail messages in plain text format if you are using Outlook2002 or a later version, or Outlook Express 6 SP1 or a later version,to help protect yourself from the HTML e-mail preview attack vector."

Users of Symantec products are already protected from this threat.So far, Security Response has received only a handful of submissions ofthe exploit. Currently, all samples have been detected as either Downloader or Trojan.Anicmoo.The submitted files are generally .ani files from malicious Web sitesthat have been renamed with a .jpg extension. Users are advised toensure they have the latest security updates installed; this will helpthem mitigate the vulnerability until a patch is available fromMicrosoft. Additionally, Symantec is advising that users should avoidopening email messages from unknown or untrusted sources.

Update:
Security Response has released Bloodhound.Exploit.131 to detect attempts to exploit this vulnerability. Detection is available in the latest virus definitions.

Update:
Microsoft has released and out-of-band security bulletin in response tothis vulnerability. Originally scheduled for publishing on April 10,2007 as part of their monthly Security Bulletin release this specificvulnerability has been patched a week early. The vulnerability isidentified in Microsoft Security Bulletin MS07-017 Vulnerabilities in GDI Could Allow Remote Code Execution (925902).

It is recommended that you apply the security patch to help mitigateexposure to this vulnerability which is currently being exploitedin-the-wild. In addition to the aforementioned Downloader andTrojan.Anicmoo risks, Symantec has identified W32.Fubalca (see associated blog) as exploiting this vulnerability.