Go straight to page content
JANET CSIRT
ja.net
the UK's education and research network
                  JANET CSIRT front page Reporting abuse E-mail including "spam" Scanning Denial of Service Security advice Very basic measures Security in detail Building safe networks Policies Legislation and regulation The threats to networks Viruses and worms Deliberate attacks Users of the network E-mail abuse About JANET CSIRT External relationships Training and courses Reports and statistics About JANET Contact JANET CSIRT

JANET CSIRT webmaster:
webmaster@csirt.ja.net
JANET(UK) privacy policy
Google Analytics notice
© The JNT Association 2007

Windows Animated Cursor vulnerability

3rd April 2007
Update 4th April 2007: patch set MS07-17 released (KB925902)
Update 5th April 2007: Hotfix released (KB935448)

The facility for animating the Windows cursor does not apply sufficient checks to its data (typically .ani files).
As usual this allows code and data from a rogue HTML document, such as a Web page or e-mail message, to affect the behaviour of parts of the system other than those which a user or administrator might expect; and it affects most Windows versions.

Microsoft will release a security update today (Tuesday 3 Apr 2007) for the problem. JANET organizations should confirm, as soon as it appears, that today's update is compatible with their own environment, and then arrange to deploy it without delay.
Until then users might be urged to be careful about e-mail messages or Web pages they look at, and to use anti-virus, anti-spyware and other products some of which will detect and suppress attempts at misuse; but this applies to all use of the Internet and is a reminder rather than new or specific advice.

At least one exploit (Anicmoo) is already active in the Internet.

Microsoft's view in their advisory notice is that the proper defence is to disable any malicious files before they can be executed, using proprietary scanning products.

Although several Windows applications through which the failing might commonly be exploited can be configured to reduce exposure in the absence of the update, the protection in each case is only partial.
An attacker will not be able to directly acquire elevated privilege through this exploit.

Additional hotfix

The patch issued (KB925902) was not compatible with certain Realtek drivers. A further hotfix (KB935448) may be required but is not available through the more obvious update mechanisms such as Microsoft Update.

Vendor information

(all offsite links)

If you have any questions which public Web sites do not answer, you are welcome to raise them on the UK-Security discussion list or directly with JANET CSIRT <irt@csirt.ja.net>.

Initial advice issued by Rodney Tillotson, JANET CSIRT