Update: Windows zero-day flaw ‘very dangerous,’ experts say

The Windows zero-day bug now being used by attackers is extremely dangerous, security researchers said today, and ranks with the Windows Metafile vulnerability of more than a year ago on the potential damage meter.

“This is a good exploit,” Roger Thompson, CTO of Exploit Prevention Labs, said in an instant message exchange. “It’s very dangerous. One of the reasons is that there’s no crash involved…it’s instantaneous. And all it takes is visiting a site.”

Yesterday, Microsoft Corp.’s Security Response Center (MSRC) issued an advisory acknowledging a bug in Windows’ animated cursor, a component that lets developers show a short animation at the mouse pointer’s location. Attackers, who are already exploiting the bug in limited fashion, can hijack PCs by tempting users to malicious Web sites or by sending them a malformed file via e-mail.

Other researchers waded in today with warnings of the animated cursor danger. “This is reminiscent of the former Windows Metafile (WMF) attacks from 2005 and 2006,” Ken Dunham, director of VeriSign Inc.’s iDefense rapid response team, said in an e-mail. “It’s trivial to update, multiple sites now host the code in a short period of time, and the highly virulent file exploitation vector within Windows Explorer exists.”

In late 2005, exploits of the WMF vulnerability swept through malicious sites and infected thousands of PCs with a raft of malware, including spyware and bot Trojans. Microsoft rushed a patch into place in early January 2006, one of the few times it has gone out-of-cycle with a fix.

“There are a lot of exploits the equivalent of triple lutzes,” said Ross Brown, the CEO of eEye Digital Security. “Only those high to the right on the hacker bell curve can pull it off. But this one doesn’t need a lot of sophistication.

“It doesn’t require a PhD in hacking,” Brown said. “The number of people who can use this is huge.”

eEye considered it so dangerous that early this morning it released a rare unofficial patch to temporarily plug the dike. This is only the second time that eEye has put out an unsanctioned fix for a Microsoft bug.

“We have some internal criteria for doing that, which this met,” said Brown. “First, there’s no direct mitigation, no registry switch or kill bit that a user or administrator can set. Second, the patch itself should be unobtrusive. And third, we want to make sure that the patch will unload itself when Microsoft releases its patch.”

eEye’s fix is “straight-forward,” said Brown, who likened it to a shim. “This prevents any animated cursor except those already installed by Windows from being executed,” he said. eEye’s patch notes said that the fix blocks cursors from being loaded outside of %SystemRoot%, which prevents sites from loading their own, potentially malicious animated cursors.

Brown confirmed that the patch includes code to automatically uninstall itself once a user installs the expected Microsoft fix. The eEye patch can be downloaded here.

Because simply previewing an HTML e-mail message can result in an infection, Microsoft also provided additional details late yesterday on which of its e-mail clients are safest to use. According to Adrian Stone, an MSRC program manager, Outlook 2007 is invulnerable, as is Vista’s Windows Mail — as long as users don’t reply or forward the attacker’s messages. The SANS Institute’s testing, however, contradicted Microsoft; by SANS’ account, Outlook Express in Windows XP, Windows Mail in Vista, and Outlook 2003 in any version of Windows puts users at risk when they simply preview a malicious message. They don’t have to actually open the message to be in danger of an infection.

In-the-wild attacks, said Dunham, have been limited so far to those against Windows XP SP2 through Microsoft’s Internet Explorer 6 and 7 (IE6 and IE7) browsers. But that won’t likely remain the case for long. “Our tests prove that trivial modification is all that’s required to update the payload and functionality on multiple operating system builds,” he said.

And while Microsoft yesterday said Vista’s version of IE7 protects users, eEye’s Brown added that browser-based attacks aren’t the only game in town. “I get the PR [public relations] angle they’re going down, but there are all sorts of ways this can come in, including HTML e-mail. Vista’s not immune.”

Websense Inc. said in a separate alert that it had identified at least nine different sites hosting the animated cursor exploit as of last night. Dunham, of iDefense, could only narrow it to “multiple domains,” but added that they point back to two hostile servers, both based in China.

Both iDefense and Websense pinned blame on known hacker groups. Dunham said his team had traced the attacks to the Chinese Evil Octal forum, a group using a server supposedly registered to the Guilin University of Electronic Technology in Guilin, Guangxi Province, People’s Republic of China. For its part, Websense claimed a link between the newest attacks and the group responsible for hacking the Web site of Dolphin Stadium in Miami, Fla. — the site of the 2007 Super Bowl — just days before this year’s game between the Indianapolis Colts and the Chicago Bears.

The next regularly-scheduled Microsoft patch release date is April 10, more than a week and a half away. However, Microsoft has not yet committed to a fix date, much less to April 10. Yesterday, a company spokeswoman would only say: “[We] will release an update for this issue at the conclusion of our investigation.”

“The thing that really bugs me about this,” said Brown, eEye’s CEO, “is that it affects Vista. This is a known vulnerability that has a connection to a vulnerability patched in January 2005. I’m not sure what happened; maybe they checked in old code for Vista and then didn’t fully check it against known vulnerabilities.” More than two years ago, in its MS06-002 security bulletin, Microsoft credited eEye with providing information on a bug involving cursor, animated cursor and icon files.

“Worse, we know there are vulnerabilities that can be exploited in Vista to escalate privileges,” said Brown. “All you need is access to the system, which this [animated cursor] provides.” Once inside, said Brown, the attacker could up rights from even a safer local user to administrator privileges.

“Then, all bets are off.”