NSFOCUS Security Team has discovered that Microsoft Windows contains a stack buffer overflow in the handling of animated cursor files, which could be exploited by remote attackers to take complete control of an affected system.
This issue is due to a stack overflow error within the "LoadAniIcon()" [user32.dll] function when rendering cursors. Unfortunately, Microsoft Windows fails to properly validate the size specified in the ANI header. The vulnerability can be potentially triggered, for examples, when animated cursors or icons in Web pages are opened, or the containing folder is opened or it is used as a cursor in Internet Explorer.
The vulnerability can be exploited by inserting vulnerable code into Web pages, sending malicious emails or copying ANI files to a shared directory. Note that Windows Explorer will process ANI files with several different file extensions, such as .ani, .cur, or .ico; and ANI files with .jpg file extension in Web pages can also be processed.
NSFOCUS Security Team warned that the critical vulnerability which covers all versions of Windows 2000 through Vista is being actively exploited, and up to now, it has been exploited to insert malicious code to Websites via Trojan horses to take completely control of the vulnerable system.
NSFOCUS recommends the following workarounds to mitigate the threat till a fix from Microsoft is available:
1. Read e-mail messages in plain text format. This can help to prevent exploitation of this vulnerability through email.
2. Do not visit Websites at best till a fix from Microsoft is available, and if absolutely necessary, FireFox and Opera are recommended. Note that even the legitimate Websites may be inserted with vulnerable code. This vulnerability, unlike the previous ones, may affect FireFox, Opera and other browsers. Using those third party browsers may mitigate attempts to exploit the vulnerability effectively but not absolutely.
3. To mitigate this attack vector, enable the "Use Windows classic folders" option. To enable this option in Windows Explorer: Open Windows Explorer, select Folder Options from the Tools menu then select the "Use Windows classic folders" option in the Tasks section.
4. If you are running Windows XP/2003/Vista, select “Turn on DEP for all programs and services except those I select”. See the URL: http://www.microsoft.com/china/technet/security/prodtech/windowsxp/depcnfxp.mspx.
According to NSFOCUS, these workarounds will not prevent exploitation of this vulnerability, but may reduce the chances of exploitation. |
