1. /
  2. Security Response/
  3. Microsoft Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability

Microsoft Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability

Risk

High

Date Discovered

January 11, 2005

Description

A stack-based buffer overflow vulnerability is reported to affect the ANI (animated cursor files) handler on Microsoft Windows operating systems. The vulnerability exists in the ANI file header handling routines contained in the 'user32.dll' library. Ultimately the issue may be leveraged to force the execution of attacker-supplied instructions. It has been reported that this vulnerability affects any application that employs the vulnerable Internet Explorer component, for example: Microsoft Internet Explorer, Word, Excel, PowerPoint, Outlook, Outlook Express and the Windows Shell. Other applications are also affected.

Technologies Affected

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows ME
  • Microsoft Windows NT Enterprise Server 4.0
  • Microsoft Windows NT Enterprise Server 4.0 SP1
  • Microsoft Windows NT Enterprise Server 4.0 SP2
  • Microsoft Windows NT Enterprise Server 4.0 SP3
  • Microsoft Windows NT Enterprise Server 4.0 SP4
  • Microsoft Windows NT Enterprise Server 4.0 SP5
  • Microsoft Windows NT Enterprise Server 4.0 SP6
  • Microsoft Windows NT Enterprise Server 4.0 SP6a
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 SP1
  • Microsoft Windows NT Server 4.0 SP2
  • Microsoft Windows NT Server 4.0 SP3
  • Microsoft Windows NT Server 4.0 SP4
  • Microsoft Windows NT Server 4.0 SP5
  • Microsoft Windows NT Server 4.0 SP6
  • Microsoft Windows NT Server 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0
  • Microsoft Windows NT Terminal Server 4.0 SP1
  • Microsoft Windows NT Terminal Server 4.0 SP2
  • Microsoft Windows NT Terminal Server 4.0 SP3
  • Microsoft Windows NT Terminal Server 4.0 SP4
  • Microsoft Windows NT Terminal Server 4.0 SP5
  • Microsoft Windows NT Terminal Server 4.0 SP6
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Workstation 4.0 SP1
  • Microsoft Windows NT Workstation 4.0 SP2
  • Microsoft Windows NT Workstation 4.0 SP3
  • Microsoft Windows NT Workstation 4.0 SP4
  • Microsoft Windows NT Workstation 4.0 SP5
  • Microsoft Windows NT Workstation 4.0 SP6
  • Microsoft Windows NT Workstation 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP 64-bit Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Embedded
  • Microsoft Windows XP Embedded SP1
  • Microsoft Windows XP Home
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Media Center Edition SP1
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Tablet PC Edition SP1
  • Nortel Networks IP softphone 2050
  • Nortel Networks MCS 5100 3.0.0
  • Nortel Networks MCS 5200 3.0.0
  • Nortel Networks Media Processing Server
  • Nortel Networks Periphonics
  • Nortel Networks Symposium Agent
  • Nortel Networks Symposium Call Center Server (SCCS)
  • Nortel Networks Symposium Express Call Center (SECC)
  • Nortel Networks Symposium Network Control Center (NCC)
  • Nortel Networks Symposium TAPI Service Provider
  • Nortel Networks Symposium Web Center Portal (SWCP)
  • Nortel Networks Symposium Web Client

Recommendations

Do not accept or execute files from untrusted or unknown sources.

Avoid processing ANI files that are received unexpectedly, or that originate from users of questionable integrity.

Implement multiple redundant layers of security.

An attacker's ability to exploit this vulnerability to execute arbitrary code may be hindered through the use of various memory protection schemes. Where possible, implement the use of non-executable and randomly mapped memory segments.

Filter incoming mail containing suspicious strings before it reaches the client application.

Filter email at the email gateway; drop all ANI attachments before the email is delivered to end-users.

Run all software as a nonprivileged user with minimal access rights.

Running all software with least privileges possible may mitigate the impact of a successful exploit attempt.
Microsoft has released updates to address this vulnerability on Windows 98, Windows 98 Second Edition, and Windows Millennium Edition. These updates are available from the Windows Update Web site. Updates for localized versions of Microsoft Windows 98 and Microsoft Windows 98 Second Edition, which are not supported by Windows Update are available for download separately. Microsoft has released updates to address this vulnerability on supported platforms. The Microsoft patch for this vulnerability may cause problems on Windows 98, 98SE, and ME operating systems. Reports suggest that after applying the patch on these operating systems there may be issues with Internet Explorer. See the References section for further information. Microsoft has released updated fixes for Windows 98, 98SE and ME to address the above issue.

Credits

This vulnerability was discovered by Yuji Ukai of eEye Digital Security.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver