Microsoft confirms critical security hole
Microsoft has released a security advisory in which it confirms the security hole that was reported last Thursday in Internet Explorer. Attackers can for example use specially prepared files for animated cursors (.ani) in websites or emails to inject arbitrary program code onto users' computers. In its security advisory, Microsoft says it is still investigating this vulnerability, but it is already clear that insufficient verification of the file format is the cause of this particular problem. The software vendor says it plans to release an update that will close the hole.
As a workaround, Microsoft's security advisory suggests that for now users should not visit any untrustworthy websites and not even look at suspicious emails. As of Outlook 2002, HTML emails can be viewed as text, though this does not prevent the hole from being exploited if infected emails are forwarded. At the same time, the text mode does not provide any protection in Outlook Express. Microsoft says that Outlook 2007 is protected from such attacks because it uses Word to display emails.
The flaw concerns Internet Explorer 6 and 7 running on: Windows 2000 SP 4, XP with service pack 2, the 64-bit version of XP 2003 for Itanium, XP Professional x64, Windows server 2003 with and without service pack 1 (also for Itanium), Server 2003 x64 Edition, and, the latest operating system from Redmond, Windows Vista. In Vista, Outlook and Windows Mail are mainly vulnerable; as Microsoft explains in its security advisory, Internet Explorer 7 is not vulnerable in protected mode. In other words, if you have disabled this mode, you should switch it back on again.
Users should implement the proposed workarounds until the security updates that have been announced are actually released. And if you want to surf the internet, you will probably want to switch to another web browser at least for the interim.
Security service provider Determina, which released unofficial patches for vulnerabilities in Internet Explorer last October, has now reported that it informed Microsoft of this hole in December 2006. An entry in the Common Vulnerabilities and Exposures (CVE) database has already been reserved but does not yet contain any details.
According to the security advisory, the protected mode of IE7 on Vista merely reduces the risk a little as attackers can still execute shell code. In addition, under certain circumstances that were not specified, Firefox also executes Windows routines that handle ANI cursors. Determina says that this vulnerability results from an incomplete patch provided back in 2005 for the handling of animated cursors. See also:
- Vulnerability in Windows Animated Cursor Handling, Microsoft's security advisory
- 0-day ANI vulnerability in Microsoft Windows, Determina's entry at Full Disclosure
- HTML Remote Code Execution Vulnerability, Determina's security advisory