Microsoft Windows Animated Cursor Buffer Overflow
Original release date: March 30, 2007
Last revised: April 03, 2007
Source: US-CERT
Note: This document was previously titled "Microsoft Windows ANI header stack buffer overflow."
Systems Affected
Microsoft Windows 2000, XP, Server 2003, and Vista are affected. Applications that provide attack vectors include
- Microsoft Internet Explorer
- Microsoft Outlook
- Microsoft Outlook Express
- Microsoft Windows Mail
- Microsoft Windows Explorer
Overview
A buffer overflow vulnerability in the way Microsoft Windows handles animated cursor files is actively being exploited.
For updated solution information, see US-CERT Technical Cyber Security Alert TA07-093A and Microsoft Security Bulletin MS07-017.
I. Description
A stack buffer overflow exists in the code that Microsoft Windows
uses to process animated cursor files. Specifically, Windows fails to properly validate the size of an animated cursor file header supplied in
animated cursor files.
Animated cursor files can be included with HTML files. For instance, a
web site can use an animated cursor file to specify the icon that the
mouse pointer should use when hovering over a hyperlink. Because of
this, malicious web pages and HTML email messages can be used to exploit
this vulnerability. In addition, animated cursor files are
automatically parsed by Windows Explorer when the containing folder is
opened or the file is used as a cursor. Consequently, opening a folder
that contains a specially crafted animated cursor file will also
trigger this vulnerability.
Note that Windows Explorer will process animated cursor files with several
different file extensions, such as .ani, .cur, or .ico. Furthermore,
Windows will automatically render animated cursor files referenced by HTML documents
regardless of the animated cursor file extension.
This vulnerability is actively being exploited.
More information is available in Vulnerability Note VU#191609.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary code. Exploitation may occur when a user clicks a malicious link, reads or forwards a specially crafted HTML email, or accesses a folder containing a malicious animated cursor file.
III. Solution
Install updates from Microsoft
Microsoft has released updates for this and other image processing vulnerabilities in Microsoft Security Bulletin MS07-017.
Workarounds
Until updates can be installed, refer to the Solution section of Vulnerability Note VU#191609 for the latest workarounds.
IV. References
Feedback can be directed to US-CERT.
Produced 2007 by US-CERT, a government organization. Terms of use
Revision History
March 30, 2007: Initial release
April 03, 2007: Updated with release of MS07-017. Title changed, previous title was "Microsoft Windows ANI header stack buffer overflow."