If you're reading this with Internet Explorer on a Windows machine, don't. The Windows animated cursor zero-day attack that was coming through on IE 6 and 7 running on fully patched Windows XP SP2 is now also hitting Windows 2000, Server 2003 and Vista. As F-Secure advises, better to use some other combination.

Proof-of-concept code for the attack was released after business hours on Friday, according to SANS.

Blocking .ani files won't help. SANS has picked up reports of the vulnerability being exploited in the wild with .ani files renamed as JPEGs.

Microsoft today posted security advisory 935423 about the exploit. Here's the full list of vulnerable systems:

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Vista
The company still hasn't provided a patch. The vulnerability is a candidate for inclusion in the CVE (Common Vulnerabilities and Exposures) list, having been assigned the label CVE-2007-0038 (previously also CVE-2007-1765).
Although there currently is no official patch, a SANS handler has posted instructions on detecting and filtering out .ani file exploitation attempts. eEye provided a temporary patch, although the company recommends updating to Microsoft's patch when it's out.

According to Microsoft, using IE 7 in Protection Mode will protect users from the exploit. SANS is reporting that anti-virus detection is picking up on the exploit, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files.
Microsoft has also confirmed that Outlook 2007 users are protected, as the tool uses Word to display HTML messages. The company reports that users of Windows Mail on Vista are protected if they don't forward or reply to infected e-mail. Outlook Express users won't be protected when reading e-mail in plaintext, given that this mode won't show embedded .ani files.

McAfee's Avert Labs, which discovered the exploit earlier this week, has posted a video of the attack in action against Vista in which the system enters an endless crash-restart loop. McAfee said that the video doesn't reflect how the attack would look in the real world, where it would come through a Web browser.

Trend Micro has a diagram of how the malware is working here.

Microsoft has updated its MSRC blog to answer questions about the ANI attack that have been rolling in since it started spreading. The answers to those questions, in a nutshell:




Microsoft was first alerted to the Windows animated cursor vulnerability on Dec. 20 by a security researcher at Determina.

McAfee first alerted Microsoft to the attack on March 28.

Microsoft is feeding its partners information through the MSRA so they can update anti-virus and intrusion detection/protection systems.

The company is working on a patch now and plan to release it as part of its next Patch Tuesday.

Microsoft doesn't advise you use patches from a third party (like eEye), since Microsoft hasn't tested them.

I don't understand the motivation for this.  I have read that there are some spam campaigns trying to lure people to websites that are hosting the malicious file.  The question that raises is, why?

If the malicious file causes the computer to go into a boot loop then I don't see how there is any money to be made, and I can see considerable risk that you might bring prosecution on yourself by trying to mess up peoples computers.  I know that once upon a time the general opinion was that people were hacking for reputation and bragging rights, but the conventional wisdom is that the motivation has shifted to profits, and I don't see where the profits are in this attack.

Security Update for Windows XP (KB925902)
Date last published: 4/3/2007
Typical download size: 455 KB 
A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
System Requirements
Recommended CPU: Not specified.
Recommended memory: Not specified.
Recommended hard disk space: Not specified.
How to Uninstall
This software update can be removed via Add or Remove Programs in Control Panel.
Get help and support
http://support.microsoft.com
More information

http://go.microsoft.com/fwlink/?LinkId=84687

hmmm back to that Mac thread....