Application security, Patch/Configuration Management, Vulnerability Management

eEye releases third-party patch for Microsoft Windows ANI handling flaw; active exploits tied to Chinese hackers, Super Bowl XLI attack

Attacks exploiting a critical unpatched Windows vulnerability were today linked to Chinese hackers and the February cross-site scripting attack on the website of Dolphins Stadium, the site of Super Bowl XLI.

eEye Digital Security, an Aliso Viejo, Calif. vendor, released a third-party patch today for the flaw, which can be attacked through any website, email or content that contains an animated cursor.

If successful, an attack can allow a malicious user to run arbitrary code on a user’s system.

Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said via email today that exploitations were becoming more common early today.

Attacks can be linked back to hostile servers in China, Dunham said.

"Attacks to date attempt to install malicious code, including Nuclear and Nimoret malicious codes. Exploitation in the wild is limited to just Windows XP Service Pack 2 and Internet Explorer 6 and 7. iDefense independent lab tests proved that trivial modification is all that’s required to update both the payload and functionality on multiple operating system builds," he said. "Attacks are largely being launched from Chinese servers. iDefense has correlated this attack back to the Chinese Evil Octal forum and to attacks formerly launched by a group using SQL injection to compromise servers in order to host iFrame links pointing back to exploits hosted on Chinese servers."

Secunia today ranked the flaw as "extremely critical," meaning it can be exploited from remote to run arbitrary code and malicious code is in the wild. The Danish vulnerability-monitoring firm credited Determina with discovering the flaw.

Microsoft confirmed the flaw Thursday in an advisory.

In a Thursday post on the Microsoft Security Response Center blog, researcher Adrian Stone said attacks appeared "to be targeted and not widespread," adding that Redmond was monitoring the attacks.

Meanwhile, McAfee researcher Craig Schmugar said Thursday on the Avert Labs blog that malicious .ani files used in the attack are being served by the same script that compromised the Dolphins Stadium website just days before the Super Bowl was to be played there.

It was unknown today whether Microsoft would release an out-of-cycle fix for the flaw before its April 10 Patch Tuesday release.

Researchers across the board stressed the potency of the attacks.

The eEye Research Team said on its blog today said the vulnerability presents numerous opportunities for malicious users to attack users.

"This zero-day vulnerability represents one of the most potent zero-days recorded by the Zero-Day Tracker," the researchers said. "Since the vulnerability lies within Windows and is exposed by countless applications, exploit vectors are plentiful for attackers to launch reliable attacks against user32.dll."

Mikko Hypponen, chief research officer at F-Secure, said on the company blog today that his firm is getting limited reports from customers. Researchers at the Finnish vendor said Thursday that they’ve captured the W32/Ani.C malware, which downloads Trojan-Downloader.Win32.Small.ELA.

Determina, the firm that first detected the vulnerability last year, warning Microsoft in December, said in an advisory released on Thursday that the flaw is extremely dangerous because it can be attacked by a wide breadth of vectors, including any webpage, email or content that contains an animated cursor.

Researchers warned today that configuring email clients for plain text would not fully protect against the exploits.

"Blocking all types of email attachments may be required to successfully trap any .ani files that may be disguised within other file types, such as .jpg," said Dunham.

Switching to text-only configuration may actually help the bad guys, said handler Swa Frantzen of the SANS Internet Storm Center.

"The surprising element is that read-in-plain-text mode makes some of the clients more vulnerable and actually only offers real added value," he said on the organization’s blog.

Click here to email Online Editor Frank Washkuch Jr.

Looking for a new job? has the latest IT security employment opportunities. Click here for our jobs page.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.