Status Tracking Note TRTA07-089A

Microsoft Windows ANI header stack buffer overflow

Overview

An unpatched buffer overflow vulnerability in the way Microsoft Windows handles animated cursor files is actively being exploited.
Event Information

Date (UTC)Description
2007-04-17 18:10 SANS Internet Storm Center
New variant of ANI (MS07-017) exploit
2007-04-06 03:23 Symantec
ThreatCON (2) => (1)
2007-04-05 15:00 Internet Security Systems
AlertCon (2) => (1)
2007-04-04 00:42 JPCERT/CC
JPCERT-AT-2007-0008: Vulnerability in Processing Windows Animated Cursor
2007-04-03 19:48 US-CERT
TA07-093A: Microsoft Update for Windows Animated Cursor Vulnerability
Via US-CERT Mailing List
2007-04-03 19:00 US-CERT
Microsoft Releases Security Bulletin to Patch Animated Cursor Vulnerability
Microsoft has released updates to address several vulnerabilities in Microsoft Windows as part of Microsoft Security Bulletin MS07-017.
2007-04-03 Microsoft
Microsoft Security Bulletin MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
Security Bulletin published.
2007-04-03 Bugtraq
MS Windows Animated Cursor (.ANI) Universal Exploit Generator
Vulnerability Proof Of Concept (CVE-2007-0038)
#Cid: Uniwersal_Exp_Gen-ie_ani.tar.gz
#Cid: 04032007-ie_ani.tar.gz
2007-04-03 Microsoft
Microsoft Security Advisory (935423): Vulnerability in Windows Animated Cursor Handling
Animated Cursor Vulnerability(CVE-2007-0038)
Microsoft has completed the investigation into a public report of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. We have issued MS07-017 to address this issue.
2007-04-03 SANS Internet Storm Center
INFOCon (2) => (1)
2007-04-02 17:06 Internet Security Systems
AlertCon (1) => (2)
Our analysts have observed an increase in the level of active exploitation of the Microsoft ANI vulnerability. We continue to encourage our members to review the associated Microsoft Security Advisory (935423) to obtain workaround information.
2007-04-01 05:20 Microsoft Security Response Center Blog
Latest on security update for Microsoft Security Advisory 935423
We have some new information tonight on the status of the security update that we're working on that addresses the vulnerability in Windows Animated Cursor Handling.
From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of proof-of-concept code. In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday April 3, 2007.
2007-04-01 Symantec
W32.Fubalca
Exploit for CVE-2007-0038
2007-04-01 Bugtraq
MS Windows Animated Cursor (.ANI) Remote Exploit (eeye patch bypass)
Vulnerability Proof Of Concept (CVE-2007-0038)
#Cid: 04012007-exp.zip
#Tested: Windows Vista Enterprise Version 6.0 (Build 6000)
#Tested: Windows Vista Ultimate Version 6.0 (Build 6000)
#Tested: Windows XP SP2
2007-04-01 Bugtraq
MS Windows XP Animated Cursor (.ANI) Remote Overflow Exploit 2
Vulnerability Proof Of Concept (CVE-2007-0038)
#Cid: 04012007-ani.zip
#Tested: Windows XP SP2 + IE 6 SP2
2007-04-01 Bugtraq
MS Windows XP/Vista Animated Cursor (.ANI) Remote Overflow Exploit
Vulnerability Proof Of Concept (CVE-2007-0038)
#Cid: 04012007-Animated_Cursor_Exploit.zip
#Tested: Windows Vista Enterprise Version 6.0 (Build 6000)
#Tested: Windows Vista Ultimate Version 6.0 (Build 6000)
#Tested: Windows XP SP2
2007-03-31 21:15 SANS Internet Storm Center
Chinese Internet Security Response Team Reports ANI Worm
The Chinese Internet Security Response Team reports the detection of an worm-like payload installed using the ANI-exploit.
2007-03-31 14:31 SANS Internet Storm Center
ANI exploit code drives INFOCon to Yellow
INFOCon (1) => (2)
The ANI vulnerability has been been of recent concern. I've been waiting for a few key events to be confirmed before adjusting the INFOCon. We don't take these decisions lightly.
2007-03-31 10:45 Chinese Internet Security Response Team
New worm use the .ani zero day vulnerability
It's a bad news that the Windows Animated Cursor Handling zero-day vulnerability has been used by malwares in China now. We have received this kind of new worm today. It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link.
2007-03-31 05:19 Bugtraq
Windows .ANI Stack Overflow Exploit
Vulnerability Proof Of Concept (CVE-2007-1765)
NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
#Cid: 23194.c
2007-03-31 SANS Internet Storm Center
ANI: It Gets Better
2007-03-30 18:47 US-CERT
TA07-089A: Microsoft Windows ANI header stack buffer overflow
Via US-CERT Mailing List
2007-03-30 05:53 Determina
Vulnerability In Windows Animated Cursor Handling
In December 2006, Determina announced that it had found a number of new vulnerabilities affecting Microsoft Windows and related products. These were privately reported to Microsoft by Determina and no public information was released on how to exploit these vulnerabilities.
2007-03-30 03:14 JPCERT/CC
JPCERT-AT-2007-0008: Vulnerability in Processing Windows Animated Cursor
2007-03-30 SANS Internet Storm Center
Detecting and filtering out windows animated cursor exploitation attempts
The Chinese Internet Security Response Team reports the detection of an worm-like payload installed using the ANI-exploit.
2007-03-30 SANS Internet Storm Center
Ani cursor exploits against Microsoft E-mail clients - CVE-2007-0038
A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability (CVE-2007-0038, previously also CVE-2007-1765) depending on the actions and settings of the email client.
2007-03-30 Internet Security Systems
Microsoft Windows Animated Cursor (ANI) Code Execution
Microsoft Windows could allow a remote attacker to execute arbitrary code on the system caused by improper handling of malformed cursors, animated cursors or icons.
2007-03-29 19:00 Symantec
ThreatCON (1) => (2)
2007-03-29 13:00 US-CERT
Active Exploitation of an Unpatched Vulnerability in Microsoft Windows ANI Handling
US-CERT is aware of a new, unpatched vulnerability in Microsoft Windows that could allow an attacker to execute arbitrary code. This vulnerability is caused by Windows failing to properly handle specially crafted animated cursor (ANI) files.
2007-03-29 Microsoft
Microsoft Security Advisory (935423): Vulnerability in Windows Animated Cursor Handling
Animated Cursor Vulnerability(CVE-2007-0038)
Advisory published.
2007-03-28 22:44 McAfee
Unpatched Drive-By Exploit Found On The Web
2007-03-28 McAfee
Exploit-ANIfile.c
Exploit for CVE-2007-0038
2007-03-28 Trend Micro
TROJ_ANICMOO.AX
Exploit for CVE-2007-0038
2006-12-20 Determina
Windows Animated Cursor Stack Overflow Vulnerability
Determina Security Research has discovered a vulnerability in the USER32.DLL code responsible for loading animated cursor (.ANI) files. This vulnerability can be exploited by a malicious web page or HTML email message and results in remote code execution with the privileges of the logged-in user.

Reference

Date first published (UTC): 2007-04-01T02:57+00:00
Date last updated (UTC): 2007-04-19T19:03+00:00
Valid HTML 4.01!