|
Title: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: don on April 02, 2007, 09:29:42 AM Quote If you're reading this with Internet Explorer on a Windows machine, don't. The Windows animated cursor zero-day attack that was coming through on IE 6 and 7 running on fully patched Windows XP SP2 is now also hitting Windows 2000, Server 2003 and Vista. As F-Secure advises, better to use some other combination. Proof-of-concept code for the attack was released after business hours on Friday, according to SANS. Blocking .ani files won't help. SANS has picked up reports of the vulnerability being exploited in the wild with .ani files renamed as JPEGs. Microsoft today posted security advisory 935423 about the exploit. Here's the full list of vulnerable systems: Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 2 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Microsoft Windows Vista The company still hasn't provided a patch. The vulnerability is a candidate for inclusion in the CVE (Common Vulnerabilities and Exposures) list, having been assigned the label CVE-2007-0038 (previously also CVE-2007-1765). Although there currently is no official patch, a SANS handler has posted instructions on detecting and filtering out .ani file exploitation attempts. eEye provided a temporary patch, although the company recommends updating to Microsoft's patch when it's out. According to Microsoft, using IE 7 in Protection Mode will protect users from the exploit. SANS is reporting that anti-virus detection is picking up on the exploit, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. Microsoft has also confirmed that Outlook 2007 users are protected, as the tool uses Word to display HTML messages. The company reports that users of Windows Mail on Vista are protected if they don't forward or reply to infected e-mail. Outlook Express users won't be protected when reading e-mail in plaintext, given that this mode won't show embedded .ani files. McAfee's Avert Labs, which discovered the exploit earlier this week, has posted a video of the attack in action against Vista in which the system enters an endless crash-restart loop. McAfee said that the video doesn't reflect how the attack would look in the real world, where it would come through a Web browser. Trend Micro has a diagram of how the malware is working here. Microsoft has updated its MSRC blog to answer questions about the ANI attack that have been rolling in since it started spreading. The answers to those questions, in a nutshell: Microsoft was first alerted to the Windows animated cursor vulnerability on Dec. 20 by a security researcher at Determina. McAfee first alerted Microsoft to the attack on March 28. Microsoft is feeding its partners information through the MSRA so they can update anti-virus and intrusion detection/protection systems. The company is working on a patch now and plan to release it as part of its next Patch Tuesday. Microsoft doesn't advise you use patches from a third party (like eEye), since Microsoft hasn't tested them. Original story: http://securitywatch.eweek.com/exploits_and_attacks/ani_zero_day_takes_new_turns_to_the_ubernasty.html Don Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: mn_kthompson on April 02, 2007, 09:34:18 AM I don't understand the motivation for this. I have read that there are some spam campaigns trying to lure people to websites that are hosting the malicious file. The question that raises is, why?
If the malicious file causes the computer to go into a boot loop then I don't see how there is any money to be made, and I can see considerable risk that you might bring prosecution on yourself by trying to mess up peoples computers. I know that once upon a time the general opinion was that people were hacking for reputation and bragging rights, but the conventional wisdom is that the motivation has shifted to profits, and I don't see where the profits are in this attack. Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: Craig on April 02, 2007, 09:41:20 AM My question is: what has MS been doing since Dec 20? Ok, I'll admit they're a huge company, they probably have to do tons of testing and go through a lot of red tape before they can issue a patch. But this is a pretty serious flaw, and if third parties who don't have access to source code and all of the MS developers can release patches before MS does, I think there's a big disconnect somewhere. I also don't think that it's a coincidence that MS is finally releasing a patch now that the exploit is public.
And to answer your question kthompson, this exploit isn't just a DoS...you can perform remote code execution with it as well (check out the exploits/descriptions on milw0rm). Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: don on April 02, 2007, 10:14:50 AM MS is planning an early release (by early they mean outside of the normal 2nd Tues schedule) of a patch tomorrow.
http://www.microsoft.com/technet/security/bulletin/advance.mspx Don Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: ChrisG on April 02, 2007, 11:52:24 AM I don't understand the motivation for this. I have read that there are some spam campaigns trying to lure people to websites that are hosting the malicious file. The question that raises is, why? If the malicious file causes the computer to go into a boot loop then I don't see how there is any money to be made, and I can see considerable risk that you might bring prosecution on yourself by trying to mess up peoples computers. I know that once upon a time the general opinion was that people were hacking for reputation and bragging rights, but the conventional wisdom is that the motivation has shifted to profits, and I don't see where the profits are in this attack. well with the metasploit ani exploit, you have a listening server serving up these bad ani filles, once a victim clicks on it, it will upload the the payload and you can do what you want from there. download a trojan, steal info, etc. on a very cool note, on vista it wont give you system, but HD Moore hints that you can use the meterpreter payload and then call a rev2self to pull a system level shell from the exploit... w00t! Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: don on April 02, 2007, 01:56:30 PM eEye Research releases patch:
http://research.eeye.com/html/alerts/zeroday/20070328.html Don Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: Craig on April 02, 2007, 03:24:19 PM eEye patch bypass released:
http://milw0rm.com/exploits/3636 ;) Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: ChrisG on April 02, 2007, 04:38:40 PM w00t!
Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: don on April 03, 2007, 01:31:50 PM Just did manual updates to get the patch, and below is the information from Windows Update:
Quote Security Update for Windows XP (KB925902) Date last published: 4/3/2007 Typical download size: 455 KB A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. System Requirements Recommended CPU: Not specified. Recommended memory: Not specified. Recommended hard disk space: Not specified. How to Uninstall This software update can be removed via Add or Remove Programs in Control Panel. Get help and support http://support.microsoft.com More information http://go.microsoft.com/fwlink/?LinkId=84687 Interesting info from MS on this patch. The details above are vague at best. If you search the KB for the article, you can't find it. The "More Information" link goes nowhere. Hmmmmmmmmmmmm? But you can find it here: http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx Of course I had to hunt for it. Don Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: ChrisG on April 03, 2007, 02:48:40 PM hmmm back to that Mac thread.... ;D
Title: Re: ANI Zero Day Takes New Turns to the Uber-Nasty Post by: BillV on April 03, 2007, 03:45:02 PM Yeah, you gotta love how they don't give you an explanation... "Beware, someone can take control of your computer, download this to stop them!" .. sounds like a pop-up to me :P
hmmm back to that Mac thread.... ;D Haha, yup :D
Powered by SMF 1.1.5 |
SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com |