Microsoft's .ANI bugfix (and body hacking)

Curses! Foiled by Tuesday's IT Blogwatch: in which Microsoft plans an out-of-cycle security patch for the animated cursor vulnerability. Not to mention body hacking and functional body modification...

Gregg Keizer reports:

Microsoft Corp. will patch the increasingly dangerous Windows animated cursor vulnerability [Tuesday], a week early ... The announcement followed a weekend of escalating warnings from security organizations and reports from China's Internet Security Response Team (CISRT) of a worm in the wild using the unpatched vulnerability. Symantec Corp. and other antivirus companies confirmed the existence of the Fubalca worm yesterday.

Over the weekend, a number of events showed the speed with which attackers were moving ... Microsoft's decision to push the patch out tomorrow may have come just in time ... The emergency fix, pegged as MS07-017, will be released through Microsoft's normal channels, including Automatic Updates, Windows Update and the enterprise-oriented Windows Server Update Services. MS07-017 will be only the third out-of-cycle patch from Microsoft in more than two years.

Microsoft's Christopher Budd adds:

We have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday April 3, 2007.


I’m sure one question in people’s minds is how we’re able to release an update for this issue so quickly. I mentioned on Friday that this issue was first brought to us in late December 2006 and we’ve been working on our investigation and a security update since then. This update was previously scheduled for release as part of the April monthly release on April 10, 2007. Due to the increased risk to customers from these latest attacks, we were able to expedite our testing to ensure an update is ready for broad distribution sooner than April 10.

But George Ou is predictably inflammatory:

Microsoft had multiple chances to release a patch for the ANI (Animated Cursor) Exploit in the months of January, February, and March but failed to release any patches for the vulnerability that was originally disclosed privately to Microsoft on December 20 2006.  Now we're getting an emergency patch today one week before the regular patch cycle and Microsoft seems to think that this is a success story on their "quick" response to this zero-day exploit.


Why has it taken Microsoft three and a half month to patch a vulnerability that was disclosed to them in secret, wait until after the vulnerability is being exploited in the wild, wait until after a third party comes out with a third party patch, and wait until after this became a public relations nightmare to come out with an out-of-band patch? This isn't the first time either because the last time Microsoft came out with an out-of-band patch was the WMF exploit and that was under the exact same circumstances with massive negative press.


The fact of the matter is that Microsoft has done a relatively good job auditing their code and keeping their exploit count to a minimum, but they seem hell-bent on perpetuating the perception that Microsoft is a joke when it comes to security.

Here's smallmo, from the Chinese Internet Security Response Team:

We think the author of .ani worm we reported yesterday has realized it will be very serious if his or her worm infects lots of Chinese computers. Maybe he(or she) doesn't want to be arrested like Li Jun, the author of Worm.Win32.Fujacks.

In the latest version of this .ani worm, he(or she) has removed the function of infecting .HTML .ASPX .HTM .PHP .JSP .ASP files, and inserting the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into these files. He(or she) also leaves a message that he(or she) doesn't want to destroy any computers, destroy any documents, infect system files in the worm body.

Harry Waldron has the info:

The ANI exploit can be embedded and completely hidden in malicious HTML pages.  Users can be easily become infected, usually by silently linking to a malicious website.  HTML will remain more dangerous until an official patch is in place.

Please be extra careful with email.  Even plain text processing by some email clients may not be safe until Microsoft issues a new patch.  Untrusted websites might also contain this new threat.  AV protection can help as well as recommendations shared in the Microsoft security advisory.

ZERT explains and offers a 3rd-party patch:

The newly discovered zero-day vulnerability in the parsing of animated cursors is very similar to the one previously discovered by eEye that was patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated cursor RIFF file is read into a stack buffer of a fixed size (36 bytes) but the actual memory copy operation uses the length field provided inside the "anih" chunk—giving an attacker an easy route to overflow the stack and gain control of the execution of the process.

With the MS05-002 patch, Microsoft added a check for the length of the chunk before copying it to the buffer. However, they neglected to audit the rest of the code for any other instances of the vulnerable copy routine. As it turns out, if there are two "anih" chunks in the file, the second chunk will be handled by a separate piece of code which Microsoft did not fix. This is what the authors of the zero-day discovered.


ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files ... It is important to uninstall the ZERT patch before applying the vendor patch, once one becomes available from Microsoft.

Gadi Evron is awe-struck:

I would like to leave the 0day behind for now and just stare! The patch is just beautiful. Active patching in memory, no static address… rather generic patching in memory, searching for several signatures.

Beautiful work from Gil Dabah.

Buffer overflow:

Around the Net Around Computerworld Previously in IT Blogwatch

And finally... What the heck is functional body hacking?

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon