Advance Update from Microsoft for ANI Vulnerability
Microsoft has announced an advance patch for the critical security vulnerability in loading animated cursor (.ani) files in numerous Windows versions. The Redmond-based company is thereby closing up the already actively exploited vulnerability one week before the official patch day. The update also fixes other additional security holes. The most serious hole that the update closes is the animated cursor stack overflow, which was discovered by Determina and reported to Microsoft as early as December 2006. It concerns the system library USER32.DLL from the operating systems Windows NT, 2000, XP, 2003 and also Windows Vista. The ANI-files are multimedia files in RIFF format. Like avi-files, these consist of numerous chunks, each containing a header and data. The header contains four ASCII symbols and a value, that displays the size of the data blocks.
One of these chunks is a so-called anih-chunk, which is a data segment that contains a 36-byte animated header structure. Back at the beginning of 2005 Microsoft had already fixed the vulnerability by closing a hole in the function for the buffer overflow LoadCursorIconFromFileMap, but the vendor did not check the length of anih-chunk prior to reading the data into a fixed size buffer on the stack. If the file size check implemented by that patch is successful, LoadCursorIconFromFileMap activates the function LoadAniIcon which processes the remaining chunks of the ANI file. However, Microsoft forgot to implement a length check in it. This can lead to successive, prepared anih-chunks which still provoke the error.
In a test from heise Security, a demo-exploit for the ANI security vulnerability failed to break into an updated Windows XP SP2. Therefore, all affected users should install the update from Microsoft, which closes the hole, as soon as possible. Any unofficial patches from unauthorized vendors should first be uninstalled.
The update to Microsofts Security Bulletin MS07-017 closes even additional holes, through which attackers and local users can extend their privileges or cause the system to crash. This can happen, among other things, via manipulated WMF and EMF graphics. In addition the render engine GDI contains several holes through which users or malicious applications can enhance their privileges and take complete control of a system. All of these holes are rated by Microsoft, however, as "important" or "moderate"; only the animated cursor stack overflow received the status "critical".
On systems with a Realtek sound chip and Realtek software installed, the update can cause messages to appear stating that a library has been moved in memory. Microsoft is now providing affected users with another patch to remedy this problem.
Microsoft has not yet announced if further updates will be made available on the actual patch day on Tuesday of next week. Still, some security service organizations are listing several critical security vulnerabilities in Microsoft products for which there are still no patches available.
- Vulnerabilities in GDI Could Allow Remote Code Execution, security advisory from Microsoft
- Windows Animated Cursor Stack Overflow Vulnerability, detailed security advisory on ANI vulnerability from Determina