PDA

View Full Version : ANI exploit ups INFOCon to Yellow


davidh
March 31st, 2007, 09:30 PM
ANI exploit code drives INFOCon to Yellow

http://isc.sans.org/diary.html?storyid=2542&rss

DH

ndebord
March 31st, 2007, 11:48 PM
ANI exploit code drives INFOCon to Yellow

http://isc.sans.org/diary.html?storyid=2542&rss

DH

David,

Pardon my ignorance, but what does this mean? I read the following and it is greek to me. "If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed. This will impact your myspace.com browsing experience though."


Tks,

davidh
April 1st, 2007, 02:44 AM
David,

Pardon my ignorance, but what does this mean? I read the following and it is greek to me. "If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed. This will impact your myspace.com browsing experience though."


Tks,

I apologize for the skimpy background. The quoted text refers to precautions to be taken by network administrators.

Protection for home users still appears to be relatively shaky at the moment.

From what I gather so far, exploitation of exploits which are now appearing in the wild, within such programs as Thunderbird or even Firefox, etc. would be possible (but not on LINUX, etc.)

Apparently if one's resident virus scanner on a home computer could catch it then that might be good protection. However, I'm guessing from reading only a couple of the articles on ISC that one might have to turn on virus scanning for ALL files and not just the standard file extensions (EXE, COM, DLL, DOC, XLS, etc.).

I also suspect that a workaround might be possible by disassociating the ANI file extension from it's current MIME file type association, temporarily, until Microsoft provides a patch.

More details here:

Windows Animated Cursor Handling vulnerability - CVE-2007-0038
Published: 2007-03-29,
Last Updated: 2007-03-31 11:36:34 UTC
by Maarten Van Horenbeeck (Version: 14)

http://isc.sans.org/diary.html?storyid=2534&rss

Apparently blacklisting of infected websites can't really cope with the problem. Therefore for high level protection, one would have to take a whitelist approach. Therefore such apps as SiteHound and McAfee SiteAdvisor could be helpful. Unfortunately, even tho' SiteAdvisor covers a high percentage of websites, it can't really protect one against sites that have been infected since the last "web crawl" of SiteAdvisor crawler that previously (if at all) visited the site. Furthermore since it may already be TOO LATE once one has actually opened any page from an infected or malicious site (i.e. if you see the RED McAfee SiteAdvisor button, the ANI cursor may ALREADY have displayed on your PC and done it's evil deeds) one would have to take additional precautions.

ADDITIONAL PRECAUTION(S):

-- Only open pages from an unfamiliar domain if one has found it on a search engine supported by SiteAdvisor (e.g. Yahoo, Google) AND SiteAdvisor has rated it as a GREEN site in the display of the search results.

-- Copy the unfamiliar domain out of the email or web page and plug it into the appropriate form on the SiteAdvisor web site to view McAfee's evaluation of it.

I think I also read somewhere that there are pay-for services (possibly including the non-free version of SiteAdvisor) which will "test" a site in an "on demand" way such that network administrators can use such an online tool to construct reliable whitelists for their office/business, etc.

You can be sure that there are plenty of small businesses (and probably more than a few medium and large ones) out there who are constantly at great risk from many kinds of exploits, not just this recent ANI one (not too mention us poor home users).

That's why I hardly consider the "traditional" 3 layers (virus, firewall, spy) of protection adequate any longer. I've been using NoScript, SiteAdvisor, and FlashBlock for a while now and don't expect the day to come when it's safe to stop using them. I'll probably have to add anti phishing too.

Fortunately for me, the ANI exploit apparently does not affect Win 98.

DH

davidh
April 1st, 2007, 03:01 AM
ANI exploit code drives INFOCon to Yellow

http://isc.sans.org/diary.html?storyid=2542&rss

DH

Better Hope That the ANI Attacks Pass over Your Computer
By Larry Seltzer
March 31, 2007
http://www.eweek.com/article2/0,1759,2110151,00.asp?kc=EWRSS03129TX1K0000614

DH

ndebord
April 1st, 2007, 11:58 AM
David,

DH>> Fortunately for me, the ANI exploit apparently does not affect Win 98.

Now that part I get. (Running W98se that is...) The idea that my carefully constructed collection of firewall, anti-virus and spyware apps is not enough does not make me a happy camper.

<sigh>

Jeff
April 1st, 2007, 12:49 PM
Better Hope That the ANI Attacks Pass over Your Computer
By Larry Seltzer
March 31, 2007
http://www.eweek.com/article2/0,1759,2110151,00.asp?kc=EWRSS03129TX1K0000614

DH

Does it help that I'm using a many year old Logitech mouse driver instead of MS XP anything?

- Jeff

davidh
April 1st, 2007, 04:42 PM
Does it help that I'm using a many year old Logitech mouse driver instead of MS XP anything?

- Jeff I would hazard a guess the OS would have been architected more along the lines of having the actual display of the animated icon be more in the display subsystems rather than in the mouse I/O subsystems. So I suspect that using a non MS mouse driver would not help.

Since my system (Win 98) is apparently unaffected, I have not explored the workarounds.

I suspect that it should be possible (e.g. using Windows Explorer?) to modify the MIME settings (URL MIME types?) so that one's HTML rendering software (browsers, email programs, RSS readers, IM programs, etc.) would not attempt to display an alternate ANI cursor. Additionally there appears to be another setting somewhere to specify folders/user-privilege settings such that only ANI files which are in the specified (SYSTEM) area will be displayed? Some of the URL's in my posts may have links to such info.

Perhaps it would be advisable to keep such a workaround in place even AFTER MS releases a patch? That is, why worry about uninstalling such a workaround even after MS releases a solid patch, since even non-malevolent alternative ANI cursors are probably more cutesy than actually useful?

DH

davidh
April 1st, 2007, 05:06 PM
The idea that my carefully constructed collection of firewall, anti-virus and spyware apps is not enough does not make me a happy camper.


These days there are certainly strong financial motivations for robbers, pirates, gov't cyberwarriors, jihadists, etc. to try to develop exploits and attacks faster than the defenders.

Perhaps the only effective widespread channel for supplying defense is the ISP's. This may tend to make it harder for smaller ISP's to compete, thus reduce competition in the market.

I'm thinking parental control software *and* strong malware defense may become almost imperative both for business and home. A spam bot could easily load child pornography on one's PC making one liable to prosecution for felonies, etc. Innocent (insufficient training against malware) high school student could be convicted to prison for decades.

Vomit,

DH

P.S. Don't forget to perform manual checks for security updates to all your browser (and other, e.g. IM) plug-ins, just in case your auto updates are disabled and/or flakey. That probably goes for MS IE BHO's (Active-X DLL's) and Firefox extensions too. Even the defenders can have holes in them that cause additional compromises to security.

davidh
April 3rd, 2007, 08:10 AM
Patch from MS coming today, Tues, Apr 3 ?

http://isc.sans.org/diary.html?storyid=2555&rss

I assume most XP & Vista systems would DL patch automatically. Windows 2000 may have to do it manually ?

DH

Judy G. Russell
April 3rd, 2007, 11:24 AM
Patch from MS coming today, Tues, Apr 3 ?They'd better get something out there. This is not just a small problem any more. Hackers are using it for real.