Attacks Escalate As Microsoft Announces Emergency .ANI Patch

Microsoft is releasing an off-cycle patch Tuesday for the .ANI vulnerability that saw an escalating number of threats appearing over the weekend. F-Secure noted that the first worm using the exploit was discovered roaming the Internet on Sunday. "This vulnerability is really tempting for the bad guys. It's easy to modify the exploit, and it can be launched via Web or e-mail fairly easily," said Mikko Hypponen, chief research officer at F-Secure. Websense Security Labs reported that researchers there now are monitoring more than 100 Web sites that are spreading the .ANI zero-day exploit. "Currently, the majority of the attacks appear to be downloading and installing generic password-stealing code. Most sites are hosted in China. Interestingly, the most popular domain space being used is .com," Websense reported on its blog.

The .ANI vulnerability lies in the way Windows handles malformed animated cursor files and could enable a hacker to remotely take control of an infected system. The bug affects all the recent Windows releases and Internet Explorer is the main attack vector for the exploits. "In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability, view a specially crafted e-mail message, or open a specially crafted e-mail attachment sent to them by an attacker," Adrian Stone, a Microsoft researcher, wrote in a blog. The Internet Storm Center is advising users that unofficial patches that are currently available should be removed when Microsoft releases its own patch.

"From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of proof-of-concept code. In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday, April 3, 2007," Christopher Budd, security program manager at Microsoft's Security Response Center, wrote in a blog Sunday. Budd noted that a delay is still possible if an issue is found at the last minute.

News source: InformationWeek

Report a problem with article
Previous Story

PSP Players Get Free Wi-Fi

Next Story

Online Ads to Surpass Radio

7 Comments

Commenting is disabled on this article.

Yeah, don't forget to turn on "protected mode" IE, which is off by default. You have to run IE as administrator, edit internet options, then click the security tab and on the security dialog, make sure "enable protected mode" is checked.

Protected mode was turned off by default for compatability reasons (at the time adobe reader, flash player, etc. would not work). I have had it on for months now with no issues.

-d

YOU WRONG!
IE7 Protected Mode is ON by default look in IE's status bar on bottom of its window.
On Windows Vista IE7 is immune to these exploits in its default configuration.
What you find in advanced options is DEP memory protection which is NOT the Protected Mode.

Protected Mode IE7 is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files

dugbug said,
Yeah, don't forget to turn on "protected mode" IE, which is off by default. You have to run IE as administrator, edit internet options, then click the security tab and on the security dialog, make sure "enable protected mode" is checked.

Protected mode was turned off by default for compatability reasons (at the time adobe reader, flash player, etc. would not work). I have had it on for months now with no issues.

-d

Protected Mode is absolutely enabled by default. You should NOT be running as the built-in "Administrator" account either, that's like running Linux as "root." It isn't covered by UAC, and thus won't support protected mode IE.

Note that while Vista is affected by the vulnerability, UAC and Protected Mode IE successfully prevent exploitation (for users who haven't disabled UAC at least). Outlook 2007 also thwarts e-mail based attacks.