Unpatched Drive-By Exploit Found on the Web (Follow-Up)
Thursday March 29, 2007 at 9:31 am CST
Posted by Craig Schmugar
In response to this issue, Microsoft has posted Security Advisory 935423. Microsoft states the following operating systems are vulnerable:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 for Itanium-based Systems
- Microsoft Windows Server 2003 Service Pack 1
- Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
- Microsoft Windows Server 2003 x64 Edition
- Microsoft Windows Vista
Last night I had a chance to test Vista’s vulnerability. In the process of setting up the environment, I dragged and dropped a malicious ANI file to the desktop. This causes Vista to enter an endless crash-restart loop. I captured a video of this occurring.
Note, this crash-restart doesn’t represent current real-world attacks, which are delivered over the Web. Those attacks would likely come through a Web browser.
March 29th, 2007 at 11:11
[...] Additional information has been posted here: http://www.avertlabs.com/research/blog/?p=233 [...]
March 29th, 2007 at 12:37
[...] Trackback [...]
March 29th, 2007 at 15:46
[...] McAfee [...]
March 29th, 2007 at 18:18
The advisory and your writeup are a little unclear on some things. Does IE 7/Vista protected mode defeat the existing attacks?
Does Outlook/Outlook e-mail in the restricted zone still allow the attack to run? If so, does it involve further user interaction or is it just a matter of opening or previewing the message?
March 29th, 2007 at 19:51
[...] En Windows Vista se produce además un curioso efecto al arrastrar el fichero del cursor animado al escritorio, puesto que Vista entra en una curiosa dinámica, que puede observarse en este vídeo de McAfee. [...]
March 29th, 2007 at 19:54
[...] alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit”; flow:established,to_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;) [...]
March 29th, 2007 at 20:04
I want to thank you for bringing this to my attention. I recently switched to the Mac because I was tired of Windows problems. I have been hearing all the drivel about how Vista is soo safe amd how it is soo secure. Government agencies that are questioning whether Microsoft operating systems are stable enough to use should take note. This is laughable. Windows is the weapon of mass destruction, not the viruses. You video says it all. A picture is worth a thousand words, and a video is worth a thousand pictures (at a reasonable frame rate). Thanks again.
March 29th, 2007 at 23:31
[...] Mit einer gestern veröffentlichten Sicherheitswarnung weist der Antiviren-Spezialist McAfee auf ein kritisches Sicherheitsleck in Windows hin, das bereits mit dem Security Bulletin MS05-002 im Januar 2005 als gestopft galt. [...]
March 30th, 2007 at 02:36
[...] Azi, in lista de stiri din geek-world, din care nu lipsesc o serie zilnica de bug-uri din windows – dar cu asta m-am obisnuit deja – se gaseste o stire cu adevarat amuzanta despre un nou si enervant astfel de bug, cu demo video atasat. [...]
March 30th, 2007 at 06:15
wow, that looks pretty aggrivating
March 30th, 2007 at 06:42
This video is so fake
com’on that doesn’t even look like an ANI file… an real ANI file looks like a cursor and the video is or poor quality anyway…
March 30th, 2007 at 06:46
[...] Yes, Vista can be exploited by an old flaw that was never patched.[McAfee] [...]
March 30th, 2007 at 07:00
What would happen if a malicious web designer created a page with the CSS cursor attribute pointing to a malicious ANI file on his server?
March 30th, 2007 at 08:11
While the core vulnerability exists in Vista, it is mitigated by several factors; IE7 Protected Mode (via the MIC model wherein IE7 runs with low integrity, and communicates with higher integrity components through a broker process, thus protecting the shell and other processes from this attack) and by UAC which, even if IE Protected Mode is disabled, will only allow the exploit the privileges of a standard user, making it far easier to recover from an attack.
Also, this video is not showing an OS crash-restart as is claimed but is showing a shell (explorer.exe) crash restart. Launch taskmanager from the winlogon desktop, starting a command prompt and delete the offending file from the profile desktop folder. If a trojan was installed, provided UAC is enabled, and this attack was instigated from a non-elevated process, the scope would be limited to user profile autostart entries in the registry and AV/anti-malware would easily mitigate (or one could easily manually remove the malware via autoruns or similar tool).
On XP this is a far more serious issue as those protection mechanisms don’t exist and the user is likely running with unrestricted admin privileges. In short, highlighting Vista may make for more dramatic coverage, but ultimately Vista’s default security settings and mechanisms work to mitigate this vulnerability exactly as advertised.
March 30th, 2007 at 08:19
[...] Simply by dragging a malicious .ani file to the Vista desktop, Schmugar was able to send the operating system over the edge, and into an endless “crash-restart” loop. He has posted a video of the Vista crash on the Avert Labs site, as well as on YouTube. [...]
PHP has encountered a Stack overflowMarch 30th, 2007 at 10:37
Way to go Microsoft.
You just never stop amazing me.
Can’t wait to upgrade to Vista !
March 30th, 2007 at 11:04