Vulnerability Note VU#191609
Microsoft Windows animated cursor stack buffer overflow
Original Release date: 29 Mar 2007 | Last revised: 15 Aug 2007
Overview
Microsoft Windows contains a stack buffer overflow in the handling of animated cursor files. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.
Description
Animated cursor files (.ani) contain animated graphics for icons and cursors. Animated cursor files are stored as Resource Interchange File Format (RIFF) data. A stack buffer overflow vulnerability exists in the way that Microsoft Windows processes malformed animated cursor files. Specifically, Microsoft Windows fails to properly validate the size of animated cursor file headers. Note that Windows Explorer will process animated cursor files with several different file extensions, such as .ani, .cur, or .ico. Note that animated cursor files are parsed when the containing folder is opened or it is used as a cursor. In addition, Internet Explorer can process animated cursor files in HTML documents, so web pages and HTML email messages can also trigger this vulnerability. Note that any Windows application may call the vulnerable code to process animated cursor files. |
Impact
A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition. |
Solution
Apply updates from Microsoft |
Block access to malformed animated cursor files at network perimeters
In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. |
Systems Affected (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Microsoft Corporation | Affected | 29 Mar 2007 | 03 Apr 2007 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
- www.us-cert.gov/cas/techalerts/TA07-089A.html
- www.us-cert.gov/cas/techalerts/TA07-093A.html
- www.microsoft.com/technet/security/bulletin/ms07-017.mspx
- blogs.technet.com/msrc/search.aspx?q=935423
- www.microsoft.com/technet/security/advisory/935423.mspx
- www.determina.com/security.research/vulnerabilities/ani-header.html
- vil.nai.com/vil/content/v_141860.htm
- www.avertlabs.com/research/blog/?p=230
- www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX&VSect=T
- secunia.com/advisories/24659/
- research.eeye.com/html/alerts/zeroday/20070328.html
- xforce.iss.net/xforce/alerts/id/258
Credit
This vulnerability was reported by Alexander Sotirov of Determina.
This document was written by Jeff Gennari and Will Dormann.
Other Information
- CVE IDs: CVE-2007-0038
- Date Public: 29 Mar 2007
- Date First Published: 29 Mar 2007
- Date Last Updated: 15 Aug 2007
- Severity Metric: 142.50
- Document Revision: 51
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.