On March 29, Microsoft issued an advisory about animated cursor exploits that are being used to infiltrate Windows. The exploits take advantage of a flaw in the way animated cursor (.ani) files are handled by the OS. The flaw can allow someone to run arbitrary code on an affected system. No patch is available to fix the problem, which affects Windows Vista/Server 2003/XP/2000.
A spokesperson for Determina said the company notified Microsoft privately about the vulnerability in December 2006. Then on March 29 Arbor Networks posted information that said it had discovered several Web sites with pages that contain malicious .ani files.
Filtering out files with .ani extensions reportedly doesn't work to prevent an attack due to the way Microsoft Internet Explorer (IE) and Microsoft Outlook parse content. However various anti-malware solution providers have integrated detection and prevention into their platforms.
eEye Digital Security published its own advisory about the problem along with a patch to serve as a temporary workaround until Microsoft publishes its official patch. eEye's patch prevents .ani files from being loaded to a system from anywhere outside the Windows root directory. A link to the patch is available in eEye's advisory.
Update (April 2, 2007):
Late yesterday, Microsoft announced that it would release an official patch (Microsoft Security Bulletin MS07-017) for the animated cursor vulnerability tomorrow, April 3. The company had planned to release the update on April 10 as part of its regularly scheduled monthly updates. However, the severity of the problem along with the availability of exploit code and exploit creation tools prompted Microsoft to act more swiftly.
At least one exploit can allow a remote intruder to take control of an affected system by spawning a remotely accessible command shell, and that particular exploit has already been integrated into Metasploit Framework.
iDefense reported that a Chinese-based Web site is hosting an online exploit creation tool. "Many of the original attacks and those out of China are focused on theft of role playing game credentials to sell on the black market," said Ken Dunham, director of the Rapid Response Team at iDefense.
