funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Security Researchers Say Windows .ANI Problem Surfaced Two Years Ago

From: <rms () computerbytesman com>
Date: Fri, 6 Apr 2007 17:28:34 -0400
http://www.informationweek.com/news/showArticle.jhtml?articleID=198800828

Security Researchers Say Windows .ANI Problem Surfaced Two Years Ago 
By Sharon Gaudin 
InformationWeek 

April 6, 2007 01:54 PM 

Security researchers say the Windows .ANI bug that has been plaguing users
for the past week first surfaced -- and was patched -- in early 2005.
 
Microsoft, however, says the .ANI vulnerability found this year is different
from the one found years ago. But some security experts say it's the same
mistake in the same process, and they're questioning how Microsoft could
have missed it. 

"If they had simply looked for other references for the same piece of code
when they originally dealt with it a few years ago, they would have found
this and patched it in 2005," said Craig Schmugar, a threat researcher with
McAfee. "It would have saved a whole lot of people a lot of time, money, and
effort." 

Microsoft declined a telephone interview for this story, but a spokesman did
e-mail InformationWeek to say that while the two vulnerabilities are both
related to cursor and icon format handling, each vulnerability is unique. 

The .ANI vulnerability involves the way Windows handles animated cursor
files. It's a buffer overflow problem. The flaw, which affects all recent
Windows releases, including Windows Vista, could enable a hacker to remotely
take control of an infected system. Internet Explorer is the main attack
vector for the exploits. Researchers concluded this week that Mozilla's open
source browser Firefox also is at risk, though exploits haven't been
focusing on it. 

While Determina researchers had alerted Microsoft about the current
vulnerability in December, the company still hadn't pulled together a patch
for it before the exploits came out more than three months later. Once the
exploits hit toward the end of March, Microsoft said it had nearly 100
technicians working around the clock for several days to get an emergency
patch ready. It was shipped April 3. 

...


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: