Microsoft Security Advisory (935423) - Vulnerability in Windows Animated Cursor Handling

This is a very serious vulnerability that is almost certainly to be exploited on a wide scale basis. If the vulnerability were limited to animated cursors alone it would not be as serious, but there are reports of jpg files, which are very commonly used in web pages, being exploited as well. The result is that by simply going to a web site a user’s computer can be completely compromised. In excess of 200 million Windows users are likely to be at risk. Even legitimate web sites present potential danger to users who follow best practice guidelines for web browsing. In January the Miami Dolphin’s Super Bowl web site was compromised and malicious software was placed there. This type of attack exposes even fairly sophisticated users to “drive by” attacks that can compromise their computers. For web browsing, the use of virtualization technologies such as SandboxIE (www.sandboxie.com) can afford some protection, however email remains a potential attack vector. Forcing Outlook to render email in plain text is a mitigating tactic, but Outlook Express remains vulnerable to attack even when configured to render email in plain text.

Having worked with (not in) the Microsoft Security Response Center (MSRC) in vulnerability report scenarios whiled employed at MS, I can tell you that the MSRC will be in high gear and working around the clock with a variety of teams at Microsoft. Microsoft and their customers cannot afford to wait until the scheduled April 10th patch day if they can possible release a fix sooner. I am certain the appropriate people at Microsoft are acutely aware of how bad this threat is and the damage potential it presents to both consumers and Microsoft.

ESET, Microsoft, and a host of other vendors have release detection for the malware associated with the vulnerability, however new variations of the exploit code are expected. Regardless of the security products used, email from unknown users should be promptly deleted, Outlook should be configured to display email in plain text, and care should be taken to visit only web sites that user have reason to believe are trustworthy.

For more information the following organizations have posted details and advice as well.

http://isc.sans.org/diary.html?storyid=2534

http://www.kb.cert.org/vuls/id/191609

Randy Abrams
Director of Technical Education