Unpatched Drive-By Exploit Found On The Web
Wednesday March 28, 2007 at 4:44 pm CST
Posted by Craig Schmugar
Several of my posts over the last few months have centered around very targeted zero-day attacks. This post covers an exploit that McAfee researchers discovered in the field, posted to a message board. That posting was simply a proof of concept; however McAfee Avert Labs has since received a malicious sample as well. It is quite likely that similar exploits targeting this vulnerability are currently being used in other attacks on the web.
Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.
The vulnerability lies in the handling of malformed ANI files. Known exploits download and execute arbitrary exe files. This vulnerability is reminiscent of MS05-002.
More information will be posted as it becomes available.
Update March 29 @ Noon
Additional information has been posted here:
http://www.avertlabs.com/research/blog/?p=233
March 29th, 2007 at 01:25
This is probably related to the vulnerability I discovered and reported to Microsoft in December of last year. It was assigned CVE-2007-0037 and is described in more detail on our zero-day page: http://www.determina.com/security_center/zero_day.asp
If this is indeed the same issue, Internet Explorer 6, 7 and Firefox are vulnerable on all platforms, including Vista.
March 29th, 2007 at 07:58
[...] McAfee Avert Labs Blog – Unpatched Drive-By Exploit Found On The Web [...]
March 29th, 2007 at 08:31
Can you comment on the following article. Specifically if VirusScan enterprise is capable of effectively scanning RTF files for this sort of vulnerability. I understand that it may take you some time to develop signature for the vulnerability, but can VirusScan actually effectively look inside of RTF files and scan embedded objects?
http://isc.sans.org/diary.html?storyid=2528
Thanks,
Jeff
March 29th, 2007 at 10:19
[...] Microsoft has not yet completed an investigation, but McAfee has had some time to look into it, and reported it publicly yesterday . According to McAfee researcher Craig Schmugar, the flaw exists in the way IE handles malformed .ani files (the format is used to read and store Windows Animated Cursors) and malicious code can be easily placed on an attacker’s Web site to trigger the vulnerability. McAfee was able to demonstrate the vulnerability exists on fully-patched WinXP SP2 systems. [...]
March 29th, 2007 at 12:34
[...] Trackback [...]
March 29th, 2007 at 17:42
[...] Hoje, a Microsoft anunciou que a falha relatada pela empresa McAfee ontem em seu blog de pesquisas realmente existe. [...]
March 29th, 2007 at 18:00
Run Cayman browser,with Sandboxie wrapped around it. This seems to make web surfing a treat.
March 29th, 2007 at 23:03
[...] Trackback Another follow-up to my Unpatched Drive-By Exploit Found On The Web post. [...]
March 30th, 2007 at 00:33
Anybody know if turning off active-scripting is a viable way of protecting yourself from this vulnerability?
Our company doesn’t allow scripts to execute from non-trusted sites, and we block file attachments, but this vulnerability appears to bypass even these defenses.
March 30th, 2007 at 01:47
[...] Posted by hony on March 30th, 2007 McAfee a descoperit o eroare critica ce afecteaza toate versiunile de Windows, care permite instalarea de cod cu malware prin web sau e-mail. [...]
March 30th, 2007 at 02:59
[...] ALTRI RIFERIMENTI: * Unpatched Drive-By Exploit Found On The Web, security advisory in McAfee’s blog * Exploit-ANIfile.c, McAfee’s exploit description [...]
March 30th, 2007 at 08:10
[...] Antivirus vendor McAfee Inc. first noted the drive-by vulnerability late yesterday, when Craig Schmugar, virus research manager at the company’s Avert Labs, blogged about tests that showed an up-to-date copy of Windows XP SP2 was vulnerable via Internet Explorer 6 and 7. According to Schmugar, users running Firefox 2.0 appear to be safe from drive-by exploits using the vulnerability. [...]
March 30th, 2007 at 09:32
[...] From McAfee: [...]
March 30th, 2007 at 11:35
[...] McAfee Blog [...]
March 30th, 2007 at 12:46
[...] Here’s some more info on the animated cursors vulnerability. This information is from McAfee : [...]
March 30th, 2007 at 12:51
Cursor-Lücke im IE…
Einem Blogeintrag von McAfee zufolge existiert im IE6 und 7 eine ungepatchte Lücke, über die sich mit Hilfe von .ANI-Dateien (die eigentliche animierte Cursor enthalten) unbemerkt bösartiger Code auf dem angegriffenen System ausführ…
March 30th, 2007 at 13:42
[...] * Unpatched Drive-By Exploit Found On The Web [...]
March 30th, 2007 at 13:46
In response to Jeff & VSE & scanning RTF files…
RTF decomposition is handled in the scan engine and has been for as long as I can remember. Therefore all McAfee products that use the AV scan engine are able to “look inside” such RTFs.
March 30th, 2007 at 13:48
Re: Ross & disabling active-scripting…
While disabling active-scripting would work on some attacks, it would not work on all of them. Scripting is not a requirement for this attack to succeed.
March 30th, 2007 at 19:12
[...] La compañía de seguridad McAfee había detectado la aparición de sitios web maliciosos que sacaban provecho de esta falla de seguridad del sistema operativo. [...]
March 31st, 2007 at 11:25
Could this be the reason why my hard drive gave up the ghost and was totally corrupted after a McAfee update & restart on Wednesday 28th?
April 1st, 2007 at 04:59
[...] The flaw is present on virtually the entire line of Windows OSes, including Vista, which has been held up as Redmond’s poster child for safe computing. According to McAfee, Windows users browsing malicious sites using Internet Explorer versions 6 or 7 risk having arbitrary code run on their machines. Those using Firefox are not vulnerable. Microsoft said in an advisory that those using IE 7 on Vista are safe from the vulnerability because of a protected mode, which restricts where the browser can write files. [...]
April 2nd, 2007 at 07:49
I had a problem with my home computer which has McAfee and it said I needed to down load a file from Microsoft to have the McAfee update work. I went to the web site that looked like a MS site and downloaded a 23 or 24 MB file. When I did that my cursor locked in the center of the screen and was unresponsive. I restarted my computer and the cursor is locked in the center of the screen and the keyboard does nothing. Is this the ANI? How do I repair the problem?
April 2nd, 2007 at 15:43
[...] [1] Latest on security update for Microsoft Security Advisory 935423 (2007-04-01) [MS Security Blog] [2] *Microsoft to Release Out-of-Schedule Patch for ANI Vulnerability (2007-04-02) [SANS] [3] Microsoft Security Bulletin Advance Notification (2007-04-01) [MS] [4] Windows Animated Cursor Handling vulnerability – CVE-2007-0038 (2007-03-29) [SANS] [5] Microsoft Security Advisory (935423) – Vulnerability in Windows Animated Cursor Handling (2007-03-29) [MS TechNet] [6] Unpatched Drive-By Exploit Found On The Web (2007-03-28) [McAfee Blog] [...]
April 3rd, 2007 at 12:18
[...] Мартен Ван Хоренбик, оператор в Internet Storm Center заявил на своём сайте, что их организация уже определила домены, со злонамеренным кодом, использующим данную уязвимость, то же самое заявил и Крэйг Шмугар, исследователь McAfee, в своём блоге. Предварительные тесты показали, что Internet Explorer версий 6 и 7, запущенные на системе с Windows XP SP2, со всеми установленными патчами уязвимы для данного эксплойта” – написал Шмугар, добавив, что эксплойт загружает и исполняет произвольные *.exe-файлы. “Процесс происходит абсолютно незаметно”. [...]
May 7th, 2007 at 08:40
[...] La compañía de seguridad McAfee había detectado la aparición de sitios web maliciosos que sacaban provecho de esta falla de seguridad del sistema operativo. [...]
May 22nd, 2007 at 14:34
[...] McAfee was the first to raise the alert for the attacks, warning that the exploit simply requires that a user is lured to a maliciously rigged Web page: Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack. Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently. [...]
May 22nd, 2007 at 14:38
[...] Originally reported by McAfee, the vulnerability is related to animation files played in Internet Explorer versions 6 and 7 even in fully patched systems. [...]
June 4th, 2007 at 20:03
Windows XP is not good
January 21st, 2008 at 10:49
[...] According to this Secunia advisory from today and the Mcafee advisory form March 28 (also found on Microsofts site), the animated cursor found in pretty much any Microsoft OS (XP, VISTa, 2000, 2003), can be used to exploit the machine? This exploit will give you the same level access to the machine in question as the user using it. This means ,generally speaking, full administrative rights, however it can be less if your user is just a normal user, such as corporate users. [...]
January 25th, 2008 at 08:17
[...] According to this Secunia advisory from today and the Mcafee advisory form March 28 (also found on Microsofts site), the animated cursor found in pretty much any Microsoft OS (XP, VISTa, 2000, 2003), can be used to exploit the machine? This exploit will give you the same level access to the machine in question as the user using it. This means ,generally speaking, full administrative rights, however it can be less if your user is just a normal user, such as corporate users. [...]
February 19th, 2008 at 04:39
[...] According to this Secunia advisory from today and the Mcafee advisory form March 28 (also found on Microsofts site), the animated cursor found in pretty much any Microsoft OS (XP, VISTa, 2000, 2003), can be used to exploit the machine? This exploit will give you the same level access to the machine in question as the user using it. This means ,generally speaking, full administrative rights, however it can be less if your user is just a normal user, such as corporate users. [...]
June 2nd, 2008 at 15:52
While disabling active-scripting would work on some attacks, it would not work on all of them.
http://www.bencehersey.net
July 24th, 2008 at 18:24
[...] http://www.avertlabs.com/research/blog/?p=230 [...]
October 24th, 2008 at 05:54
[...] more organized, and are more likely to target zero-day vulnerabilities, as we have reported on several critical incidents we have discovered since 2006. Like déj vu, Microsoft released an out-of-cycle security update [...]
February 11th, 2009 at 22:23
I’m using Firefox but haven’t had this problem, ill be sure to keep a lookout.
April 2nd, 2009 at 09:12
I think I have discovered a virus behaving as the wga updater. It came up on reboot before the system tray items executed and looked and behaved like Windows Genuine advantage at first and it asked me to initiate it’s procedure. It started the language bar up again which was unusual, and then it halted it’s processes. Since I have my servers and sharing, and even remote registry services shut down, I assume it was a virus plugin which started the Chinese language font up which I have explicitly removed from my system. The false WGA notification program was also was trying to initiate servers and other resident services just before it hung. I canceled and then it then warned me that WGA notification could not be installed, (bullshit) I went to Microsoft’s update site and initiated updates, which worked just fine, else the WGA would have been valid!
August 31st, 2009 at 00:48
According to this Secunia advisory from today and the Mcafee advisory form March 28 (also found on Microsofts site), the animated cursor found in pretty much any Microsoft OS (XP, VISTa, 2000, 2003), can be used to exploit the machine?
September 24th, 2009 at 01:11
According to this Secunia advisory from today and the Mcafee advisory form March 28 (also found on Microsofts site), the animated cursor found in pretty much any Microsoft OS (XP, VISTa, 2000, 2003), can be used to exploit the machine?