Thursday, March 29, 2007

Microsoft ANI Exploit Circulating

Microsoft's animated cursor files, which normally end with the extension ANI, are being used to take over Microsoft Windows systems. The vulnerability was not known until it was found being actively exploited in the Wild. It is being delivered via e-mail and websites and simply previewing a message with an attached file or visiting a malicious or compromised website will cause arbitrary code to be run on the system.

This is extremely serious.

Other points to note:

The file does not have to have a .ANI extension. If the file has a .JPEG extension, the exploit still works. Several exploit implementations already are using this technique to bypass filters.

All versions of Windows from 95 through Vista and all versions of Internet Explorer and Outlook and Outlook Express are vulnerable.

Windows Explorer, when not in "classic" mode, will cause the code embedded in the ANI file to be run when you browse to the containing directory.

Putting a malicious ANI file on the desktop in Windows Vista reportedly causes the machine to enter into an infinite crash and reboot cycle.


Note from the sponsor: Customers of eSoft's Gateway Antivirus are protected from this exploit.

No comments: