这个漏洞影响真是超大,才发现没多久,就已经灾情惨重,哀号遍野了,连利用此漏洞的复合式蠕虫都已经出现了:D
Microsoft Windows Animated Cursor Handling Vulnerability
Critical: Extremely critical
Secunia Advisory: SA24659
Release Date: 2007-03-30
危害程度是最高的喔!!
有这么严重吗? 为什么?
(1)弱点触发的地方是一个关键。
(2)微软还未推出修补档。
(3)是一个远端可任意执行程式码的弱点,这种弱点安全公司通常都列为极端严重。
弱点触发说明:
(1)因为Windows系统档user32.dll里面有一个载入图像的api叫作LoadImage,没有检查载入的滑鼠游标档档头大小,
并且直接把游标档档头资料复制到系统堆叠,因为没有检查档头大小,攻击者设计一个异常(过大)的档头资料,结果就把堆叠覆盖了>.< 使得程式流程被带到攻击者预先设计好的程 式码中,可以随心所欲的下载木马、后门等Spyware。
(2)另外此弱点不是发生在某个特定程式,如iexplorer.exe等,而是发生在系统档案user32.dll,天ㄚ,只要有用到LoadImage载入的通杀!!
你想想看,现在浏览网站是不是超恐怖?
昨天我们报导了一个Windows .ANI动画即可将Windows Vista陷入Explorer崩溃死循环的消息,目前微软已经确认了这一问题并正在组织解决方案,但第三方的安全组织eEye却先人一步,提供了第三方修正,这已经不是他们第一次先于微软发布修正了,至于质量如何,大家不妨可以研究研究.
查看:Windows .ANI Processing Zero-Day Tracker
http://research.eeye.com/html/a...20070328.htmleEye Digital Security
Windows ANI Zero-Day With eEye PatchHey Readers,
Pretty serious happenings on the zero-day front today so we’ll keep it short and sweet. Today marked the release of the Windows .ANI Processing zero-day. This zero-day vulnerability represents one of the most potent zero-days recorded by the Zero-Day Tracker. Since the vulnerability lies within Windows and is exposed by countless applications, exploit vectors are plentiful for attackers to launch reliable attacks against user32.dll.
eEye’s Blink Neighborhood Watch (LOOK, IT’S FREE!!) was already protecting against this vulnerability with its generic Intrusion Prevention System, so Blink users have nothing to worry about. For those that may not have Blink installed, eEye Research has diligently been plugging away and has released a patch to mitigate this vulnerability while it remains unpatched by Microsoft. This patch successfully disabled ALL attack vectors from exploiting users while not causing a disruption in normal use. As always we suggest that administrators quickly test this against internal web applications prior to installing within their environment. Or, maybe you should just install Blink and join the many users that don’t have anything to worry about.
You can find all of the technical information as well as the
EEYEZD-20070328
Common Name:
Windows .ANI Processing
Date Disclosed:
3/28/2007
Expected Patch Release:
Unknown
Vendor:
Microsoft
Application:
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Description:
An unspecified vulnerability exists within Microsoft Windows which may possibly allow for a remote attacker to execute arbitrary code under the context of the logged in user. This vulnerability requires user interaction by viewing a malicious Windows animated cursor (.ANI) file. .ANI files are commonly used by web developers to display custom cursor animations to enhance web-site experiences.
The most potent attack method is by embedding a malicious .ANI file within an HTML web page. Doing so allows the vulnerability to be exploited with minimal user interaction by simply coaxing a user to follow a hyperlink and visit a malicious web site. Other exploit vectors exist including Microsoft Office applications since they also rely on the same .ANI processing code, making e-mail delivery also a potent threat by using Microsoft Office attachments.
Since .ANI processing is performed by USER32.dll and not the attack vector application itself, all attack vectors have the potential to use a similar exploit with similar address offsets targeted at Windows directly, allowing for a very reliable exploit.
NOTE: This advisory information is gathered from the references below. eEye Research is currently researching the cause of the vulnerability and trying to identify other vulnerable and will update this ZDT entry as more information becomes available.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution under the context of the logged in user
A web browser remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials. Exploitation impact can vary from the reported trojan installation to full system compromise by coupling this attack with a privilege escalation vulnerability to acquire SYSTEM access.
Mitigation:
eEye Digital Security's Research Team has released a workaround for the zero-day vulnerability as a temporary measure for customers who have not yet installed Blink. Blink generically protects from this and other vulnerabilities without the need for updating and is available for free for personal use on all affected platforms except for Vista. This workaround is not meant to replace the forthcoming Microsoft patch, but rather as a temporary mitigation against this flaw.
The temporary patch mitigates this vulnerability by preventing cursors from being loaded outside of %SystemRoot%. This disallows websites from loading their own, potentially malicious animated icons, while causing little to no business disruption on hosts with the patch installed.
Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released. More information regarding installation and uninstallation is available in the patch installer. Please note that at this time this workaround supports all affected platforms except for x64 and Itanium architectures.
Patch Location: Download Now!
http://www.eeye.com/html/research/tool...ayPatchSetup.exe
