Technical Cyber Security Alert 2007-89A
Technical Cyber Security Alert 2007-89A
Technical Cyber Security Alert 2007-89A (also known as MS07-017) was Technical Cyber Security Alert 2007-89A (also known as MS07-017) was a critical alert issued by Microsoft in March 2007.

It addressed a severe vulnerability in how Windows handled Animated Cursor (.ANI) files. This flaw, an integer overflow, allowed remote code execution. Attackers could exploit it by tricking users into viewing a malicious .ANI file, often via infected websites, emails, or shared folders.

Successful exploitation granted attackers full control over the affected system. The vulnerability was actively exploited as a zero-day before a patch was available. Microsoft released an emergency, out-of-band patch to mitigate the widespread threat. This incident highlighted the danger of seemingly harmless file types and the urgency of rapid patching.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-089A


Microsoft Windows ANI header stack buffer overflow

Original release date: March 30, 2007
Last revised: --
Source: US-CERT


Systems Affected

Microsoft Windows 2000, XP, Server 2003, and Vista are affected.
Applications that provide attack vectors include:

* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express
* Microsoft Windows Mail
* Microsoft Windows Explorer


Overview

An unpatched buffer overflow vulnerability in the way Microsoft
Windows handles animated cursor files is actively being exploited.


I. Description

A stack buffer overflow exists in the code that Microsoft Windows
uses to processes animated cursor files. Specifically, Microsoft
Windows fails to properly validate the size of an animated cursor
file header supplied in animated cursor files.

Animated cursor files can be included with HTML files. For
instance, a web site can use an animated cursor file to specify the
icon that the mouse pointer should use when hovering over a
hyperlink. Because of this, malicious web pages and HTML email
messages can be used to exploit this vulnerability. In addition,
animated cursor files are automatically parsed by Windows Explorer
when the containing folder is opened or the file is used as a
cursor. Because of this, opening a folder that contains a specially
crafted animated cursor file will also trigger this vulnerability.

Note that Windows Explorer will process animated cursor files with
several different file extensions, such as .ani, .cur, or .ico.
Furthermore, Windows will automatically render animated cursor
files referenced by HTML documents regardless of the animated
cursor file extension.

This vulnerability is actively being exploited.

More information is available in Vulnerability Note VU#191609.


II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary
code. Exploitation may occur when a user clicks a malicious link,
reads or forwards a specially crafted HTML email, or accesses a
folder containing a malicious animated cursor file.


III. Solution

Until a fix is available, refer to the Solution section of
Vulnerability Note VU#191609 for the latest workarounds.


IV. References

* Vulnerability Note VU#191609 -
<http://www.kb.cert.org/vuls/id/191609>

* Microsoft Security Advisory (935423) -
<http://www.microsoft.com/technet/security/advisory/935423.mspx>

* Unpatched Drive-By Exploit Found On The Web -
<http://www.avertlabs.com/research/blog/?p=230>

* TROJ_ANICHMOO.AX - Description and Solution -
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-089A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <This email address is being protected from spambots. You need JavaScript enabled to view it.> with "TA07-089A Feedback VU#191609" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

March 30, 2007: Initial release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRg0/AOxOF3G+ig+rAQKCXwf/S64JCuEQb5bzW8QcbpxAZ0Zv+xtaoId4
AHRvyperlBad/XIRoYogiLgHWvroIpteaOG0ek4RbQEEdLU+u/LMNVDAE0OaezyR
9NEA8ox7kUDd8RQPIrTeQdgcOWDkWGHs0lnBIkxcmtCroBKXqTl8hDwkWSrIH8nn
PbMJpbryAoB+P1bb+u7txtL46bAihnjGEPR5JU+lBqTmmrfUb3ePokK5HzsbWHXu
UEBfoNxmhajsJejK1A5Oui+oK9VK/K1+XYLCEnvXTWTEiWn8F4Gft3j+fellTRdQ
7BZQ+Vo65HvrtiZHjZCZrkjYgngeWQRv4G9aMGhP/jnb2TlxOAIchw==
=IhG4
-----END PGP SIGNATURE-----
Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.