Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] *ANI exploit code drives INFOCon to Yellow



http://isc.sans.org/diary.html?storyid=2542
 
*ANI exploit code drives INFOCon to Yellow 
<http://isc.sans.org/diary.html?storyid=2542>  
Published: 2007-03-31,
Last Updated: 2007-03-31 14:31:15 UTC
by Kevin Liston (Version: 1) 
The ANI vulnerability has been been of recent concern.  I've been waiting for a 
few key events to be confirmed before adjusting the INFOCon 
<http://isc.sans.org/infocon.html> .  We don't take these decisions lightly.

Rating systems such as Symantec's ThreatCon (currently at 2 of 4,)  FS/ISAC's 
Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) 
all have their particular niche.  Symantec focuses on their AV and 
managed-security-service customers.  FS/ISAC focuses on financial institutions. 
 The Internet Storm Center's INFOCon intent is to "to reflect changes in 
malicious traffic and the possibility of disrupted connectivity."

In the initial stages of this event, we did not satisfy the criteria to raise 
the INFOCon level.  Now, we have a different landscape.



*       Exploit code has been publicly released which allows trivial 
modification to add any arbitrary payload. 
*       The number of malicious sites reported is rising rapidly, limiting the 
efficacy of blacklisting. 
*       The number of compromised sites pointing to malicious sites is also on 
the rise. 

Recommendations:


*       Keep anti-virus up-to-date.  So far this is the most effective layer, 
particularly generic signatures that detect non-compliant ANI files.  Also, the 
secondary payloads downloaded by these exploits are often detectable (not 
always though.) 
*       Content-filtering.  If your environment supports it, dropping ANI files 
(not based on file extention, but actual file-inspection) may be prudent until 
patches are deployed.  This will impact your myspace.com browsing experience 
though. 

We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 
UTC) 
 
---------------------------
Windows Animated Cursor Handling vulnerability - CVE-2007-0038 
<http://isc.sans.org/diary.html?storyid=2534>  
Published: 2007-03-29,
Last Updated: 2007-03-31 11:36:34 UTC
by Maarten Van Horenbeeck (Version: 14) 

Important Update 
Proof of Concept Exploit code was released publicly after US business hours on 
Friday. While nowhere near an official patch, please consider the below 
mitigation measures and handler Donald's entry on detecting and blocking these 
attacks <http://isc.sans.org/diary.html?storyid=2540> .


________________________________

Microsoft has released advisory 935423 
<http://www.microsoft.com/technet/security/advisory/935423.mspx>  regarding a 
vulnerability in Windows Animated Cursor Handling. A bug in the way Windows 
renders  animated cursor files can allow execution of arbitrary code under the 
privileges of the user that downloaded the malicious file. CVE-2007-0038 
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038>  (previously also 
CVE-2007-1765 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1765> ) has been 
assigned to this vulnerability



Affected are Win2k, XP, Server 2003 and Vista (UPDATED). While Animated cursors 
are usually downloaded as .ani files, blocking these files is not sufficient to 
mitigate the vulnerability. We have received reports of this vulnerability 
being exploited in the wild using files renamed to jpeg. 

McAfee has a blog entry <http://www.avertlabs.com/research/blog/?p=230>  up on 
this. They also have a second blog entry 
<http://www.avertlabs.com/research/blog/?p=233>  with a video showing windows 
explorer crashing in a loop on windows vista when dropping a malicious animated 
cursor on the desktop. Trend Micro is reporting 
<http://uk.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=1&VName=TROJ_ANICMOO.AX>
  here on malicious .ANI files and related links being spread over the web and 
through e-mail that attempt to download a trojan executable WINCF.EXE. 


Mitigation:

*       Microsoft is reporting that users of Internet Explorer 7 with 
Protection Mode are protected from active exploitation. 
*       E-mails opened in plaintext will not show embedded ANI files. Note that 
HTML attachments can still be interpreted when separately clicked upon.  
[Thunderbird 
<http://kb.mozillazine.org/Plain_text_e-mail_%28Thunderbird%29#Reading_e-mail_in_plain_text>
  | Outlook <http://support.microsoft.com/kb/831607>  & 2.0 
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;307594> ]. 
*       Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, 
Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. One specific 
file was also discovered by a product triggering on a signature written for 
MS05-002, a similar vulnerability from 2005. This will not apply to most 
exploits in the wild. 
*       Microsoft has now confirmed 
<http://blogs.technet.com/msrc/archive/2007/03/29/microsoft-security-advisory-935423-posted.aspx>
  that: 

        *       Outlook 2007 users are protected (as the tool uses Word to 
display HTML messages); 
        *       Users of Windows Mail on Vista are protected if they do not 
forward or reply to malicious e-mail; 
        *       Outlook Express users remain vulnerable even when reading 
e-mail as plaintext. 

*       Eeye has released an unofficial patch 
<http://research.eeye.com/html/alerts/zeroday/20070328.html>  that you may wish 
to consider 

The vulnerability has been added to our missing microsoft 
<http://isc.sans.org/diary.html?storyid=1940>  patches table.

Vulnerability timeline
Microsoft has provided an update 
<http://blogs.technet.com/msrc/archive/2007/03/30/update-on-microsoft-security-advisory-935423.aspx>
  on their MSRC blog, answering a number of questions that people have been 
asking.

*       Vulnerability was reported to MSFT in December by Determina. 
*       MSFT has been working on the vulnerability 
*       Reports of the exploit were sent to MSFT on the 28th, they initiated 
their incident response plan 
*       An update is expected with the normal monthly fixes 

References:

CVE 2007-0038 <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0038> 
A good write-up and analysis of one ani exploit in action 
<http://www.mnin.org/write/ani-notes.pdf> 
Arbor Network's write-up 
<http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/> 





 




Copyright © Lexa Software, 1996-2009.