Cursor flaw exposes Windows to malicious code threat

Multiple versions of Windows are at risk from a recently discovered security hole, whereby malicious code can find its way onto systems via cursor and icon customisation options.

Microsoft has already posted a security advisory detailing the issue, as well as updating its OneCare security software for consumers in an attempt to minimise the problem ahead of a long-term fix.

The advisory says all of Microsoft's supported versions of Windows for the desktop are affected, from Windows 2000 SP4 to Vista as well as versions of Windows Server 2003.

The affected software performs 'insufficient format validation prior to rendering cursors, animated cursors, and icons'. An attacker can create a web page or embedded email and by persuading a target to view that content could install malicious code on the system.

McAfee says Vista is only vulnerable to a denial of service attack. Microsoft's own investigation has discovered that users of Outlook 2007 are protected against the attack, as are users of Windows Mail on Vista as long as users do not forward or reply to the attacker's email. Outlook Express users are vulnerable, even if they are only viewing mail in text.

Microsoft describes the attacks as 'targeted and not widespread,' although McAfee has discovered many compromised servers hosting the exploit code for this .ani vulnerability. 'Googling the referenced script yields 113,000 results. It's likely that most of those sites were compromised through SQL injection vulnerabilities. Of course many of these sites have been cleaned up, malicious references removed, but not all,' it says.

While OneCare users are protected, users of other security software will be updated as new attacks are discovered. Some users may already be protected. According to F-Secure, 'A sample that is possibly related to this has been obtained and is detected as Exploit:W32/Ani.C since update 2007-03-29_09. This sample downloads a copy of a Trojan that has already been detected as Trojan-Downloader.Win32.Small.ELA.'

Symantec too says its users remain protected. 'So far, Security Response has received only a handful of submissions of the exploit. Currently, all samples have been detected as either Downloader or Trojan.Anicmoo. The submitted files are generally .ani files from malicious Web sites that have been renamed with a .jpg extension,' it says.

Microsoft suggests reading email only in plain text, ensuring firewall and security software is up to date, keep Windows updated and treat all file transfers with suspicion.

Microsoft says it will be necessary to issue a security update, although it is not yet clear whether this will be within the normal monthly parameters or an out of cycle release.