Microsoft warns of Windows flaw that leaves users open to attack from malformed ANI files

Share this article:

Microsoft warned users today about a critical unpatched vulnerability in Windows that leaves systems open to attack through malicious websites or email messages.

Researchers with the Microsoft Security Response Center (MSRC) gave a heads-up on the flaw through a security advisory sent out this morning. The announcement explained that attackers can exploit the way Windows handles animated cursor files.

“In order for this attack to be carried out, a user must either visit a website that contains a webpage that is used to exploit the vulnerability, view a specially crafted email message or opening a specially crafted email attachment sent to them by an attacker,” wrote Adrian Stone in the MSRC blog. “While the attack appears to be targeted and not widespread, we are monitoring the issue and will update the advisory and blog as new information becomes available.”

This vulnerability is one of many that Microsoft is working to patch by its next Patch Tuesday on April 10. The company did not release any security-related patches this month.

Reports of this vulnerability began trickling to the public Wednesday when McAfee Avert Labs posted a blog entry about the threat. While Microsoft reported only “very limited” attacks using this flaw, experts believe that this could be a good vector to create successful blended attacks.

McAfee’s Craig Schmugar said he received a malicious sample prior to his post yesterday, and he believes there are more lurking out there: “It is quite likely that similar exploits targeting this vulnerability are currently being used in other attacks on the web.”

Experts with the SANS Internet Storm Center warned that simply blocking .ani files may not completely protect against the vulnerability.

“While animated cursors are usually downloaded as .ani files, blocking these files is not sufficient to mitigate the vulnerability,” wrote handler Maarten Van Horenbeeck on the SANS blog. “We have received reports of this vulnerability being exploited in the wild using files renamed to jpeg.”

Click here to email West Coast Bureau Chief Ericka Chickowski.

Looking for a new job? SC Magazine has IT security's latest employement opportunities. Click here for our jobs page.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.