United States
Web App Attacks: Sneaking in the Front Door
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

McAfee gets animated about zero-day cursor vulnerability in Windows

Microsoft confirmed the existence of a new vulnerability in a security advisory they released today. But to understand the new flaw, it helps to refer to a blog post that McAfee Avert Labs issued yesterday.

Avert Labs discovered a new, zero-day Windows exploit spreading in the wild. This exploit attacks a previously unknown vulnerability in the way Windows handles animated cursors or icons. By fooling you into loading a specially crafted animated cursor or icon (.ANI), an attacker could exploit this vulnerability to execute code on your computer with your privileges. If you're a Windows user who has local administrative privileges, an attacker could exploit this flaw to gain complete control of your machine.

If you're thinking, "Meh, this doesn't apply to me because I rarely handle animated cursor files," you would be mistaken. Attackers can easily embed animated cursors and icons within Web pages or HTML emails. Simply by visiting the wrong Web page, you could place your computer squarely in the hands of an attacker. In fact, the exploit McAfee found works silently. You don't even realize your computer has been raided by the bad guys.

They warn that the flaw affects all current versions of Windows, including Vista (McAfee even posted a neat video showing this exploit forcing a Vista machine into a "crash-reboot" loop). Furthermore, Microsoft warns that although animated cursor and icon files typically have an .ANI extension, this attack is not constrained by the .ANI file type. In other words, you can't mitigate the risk of this flaw by blocking all .ANI files at your gateway. The attacker could name his attack file with some other extension instead of .ANI, and the attack will still execute.

Microsoft hasn't had time to patch this flaw yet. So what should you do? First, warn your users of this new vulnerability and continue to educate them about safe Web browsing. Next, make sure everyone has antivirus (AV) software, and keep it up-to-date. AV may not catch every code variant exploiting this vulnerability but it can stop the known ones from working. Finally, watch for Microsoft's patch and apply it A.S.A.P. If you subscribe to LiveSecurity or Livesecurity Informer, we'll alert you about the patch as soon as Microsoft releases it. -- Corey Nachreiner, CISSP.

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.