Filed under: Computers and Internet
Windows animated cursor flaw–150 sites infected
There’s a new Microsoft Windows vulnerability being exploited across the Internet on over 150 Web sites. The vulnerability is caused by an unspecified error in the way Windows 2000, XP, and Vista handles animated cursors.
Animated cursors allow a mouse pointer to appear animated on a Web site. The feature is often designated by the .ani suffix, but attacks for this vulnerability are not constrained by this file type so simply blocking .ani files won’t necessarily protect a PC. Successful exploitation can result in memory corruption when processing cursors, animated cursors, and icons. According to Arbor Networks, the malicious code on compromised Web sites exploiting this flaw appears to be originating from the following sites, which you may want to block:
wsfgfdgrtyhgfd. net
85.255.113.4
uniq-soft.com
fdghewrtewrtyrew. biz
newasp.com.cn
To become infected, users must be using Internet Explorer 6 or 7; there is no need to click, just visiting an infected site is enough for an infection. The flaw does not affect Firefox or Opera Internet Browsers. Microsoft will release a patch on April 3, 2007. Until a patch is released, users should browse the Internet using a non-Internet Explorer browser.
Microsoft Security Advisory: http://www.microsof t.com/technet/ security/ advisory/ 935423.mspx
Animated cursor attacks escalate; emergency patch coming
Microsoft plans to release an emergency, out-of-cycle Windows update on Tuesday, April 3, 2006 to patch the animated cursor (.ani) vulnerability currently being used in widespread malware attacks.
The decision follows a weekend of escalated attacks, which include a self-propagating worm spotted in China and the discovery of hundreds (possibly thousands) of hacked Web sites hosting animated cursor exploits.
According to Christopher Budd, a program manager in the MSRC (Microsoft Security Response Center), the out-of-band patch is in response to the increased attacks and the public disclosure of proof-of-concept code.
“In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday April 3, 2007,” Budd said in a blog entry.
The proof-of-concept code is available at Milw0rm.com, a public repository for free exploits. The remote exploit code even bypasses the unofficial patch being offered by eEye Digital Security.
Dave Aitel’s Immunity has also released an exploit in its CANVAS penetration testing platform.
Courtsey:C.Net
