ALERTS: .ANI Exploits

02 Apr 05:55

Most security companies report "zero-day" exploits of Windows Animated Cursor Handling.

A spate of new exploits has emerged over the weekend. According to iDefense VeriSign Intelligence Operations this is the sequence of events:

  1. Full Disclosure post of the source code for an ANI exploit.
  2. Chinese ANI generation tools discovered by iDefense.
  3. Spam run pointing back to ANI sites reported by McAfee.
  4. ANI Worm reported by the Korean CERT.
  5. Over 100 ANI exploitation sites reported by WebSense.

Yesterday was April Fool's which saw this vulnerability being used in several new attacks, including spam-borne ones. Unfortunately the exploit is trivial to use and modify. This is a serious issue that will give rise to a series of new attacks, potentially having a very long run-time.

At this stage we have seen a worm, a spam run, over a hundred ANI exploitation sites, and generation kits in the wild. So far the exploits impact only Windows XP SP2 but the exploit is easy to modify so this comfort is likely to be short-lived. Various counter-measures are available, the one that immediately springs to mind is to follow the advice ISB has given for many years: do not use Internet Explorer under any circumstances!

Most of the exploits seem to originate from China, so if you want to follow developments why not visit the Chinese Internet Security Response Team's web site (UR below)?

Related links: (Open in a new window.)
www.cisrt.org/enblog/read.php?68
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1765
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038

Taken from Information Security Bulletin.