View Full Version : Security Vulnerability, Animated Cursor Remote Code Execution

03-29-07, 02:22 PM
Microsoft Windows is prone to a vulnerability that can allow attackers to execute arbitrary remote code. This issue occurs because of a memory-corruption error caused when handling malformed cursor or icon files.

An attacker can exploit this issue to execute arbitrary code with the privileges of an unsuspecting user. A successful attack can result in the compromise of affected user accounts and computers.

ISC reports that While Animated cursors are usually downloaded as .ani files, blocking these files is not sufficient to mitigate the vulnerability. We have received reports of this vulnerability being exploited in the wild using files renamed to jpeg.

Microsoft Advisory:

This affects IE6 and IE7 users using the Windows 2000, Windows XP, and Windows Vista OS.

03-29-07, 02:25 PM
Remember, you cannot count on UAC to catch this as UAC is bypassable via Windows Installer manifest options:

In the Windows Vista release, there are provisions to allow non-manifested or unsigned code to run with administrative privileges.

* Manifest to mark an application with the requested execution level
o <requestedExecutionLevel level="asInvoker|highestAvailable|requireAdministr ator" uiAccess="true|false"/>
o — level --
+ asInvoker—The application runs with the same token as the parent process
+ highestAvailable—The application runs with the highest privileges the current user can obtain.
+ requireAdministrator—The application runs only for administrators
o — uiAccess --
+ true—The application is allowed to bypass UI protection levels to drive input to higher privilege windows on the desktop. This setting should only be used for UI Accessibility applications.