In what could be the most embarrassing exploit to impact Windows Vista since its commercial launch in January, security engineers at McAfee's Avert Labs confirmed today - and posted the video to prove - that the operating system can be caused to enter an interminable crash-restart-crash loop, by means of a buffer overflow triggered by nothing more than a malformed animated cursor file.
It isn't even a new exploit, as researchers with eEye discovered in January 2005. At that time, Microsoft acknowledged it affected versions of the operating system from the first edition of Windows 98 through to early releases of Windows XP, though it stated at the time XP SP1 was unaffected.
But apparently after researching field reports of limited attacks, Avert Labs discovered an apparently similar exploit using .ANI files impacts XP SP2 and Vista as well, as well as Windows 2000 SP4 and versions of Windows Server 2003 from the initial release through to SP1. Avert Labs stated XP SP1 and versions since were unaffected, though Microsoft warned the exploit does affect XP SP2.
If both firms' accounts are correct, Microsoft may have fixed the problem with XP SP1 in 2005, and inadvertently un-fixed it sometime afterward.
Avert Labs' video of the incident, posted to YouTube, shows a Vista system wherein the test file apparently trying to load the custom animated cursor. When the operating system detects a crash, it first tries to save vital data prior to a restart sequence - one of Vista's newer features. It then informs the user that Windows Explorer has crashed.
But in trying to restart Explorer, the restarting crashes itself, sending Vista into a tailspin from which the only escape appears to be the off button.
The mouse input routines in Windows are designed with the intention of being relatively failsafe. That's why when the system appears to hang, you can often still move your mouse pointer. As I've personally witnessed on many occasions with Windows XP, it's possible for a smaller OEM's mouse driver - often an unsigned one - to trigger a similar tailspin loop that crashes Windows Explorer repeatedly. In Windows, a lot depends on the mouse pointer's very existence.
So if a customization feature can impact the mouse pointer's ability to function, the integrity of the entire system can be jeopardized. With my own systems, drivers and services that are unfriendly to one another - such as Stardock's CursorXP animation program trying to co-exist with a Synaptics Pointing Device driver on a notebook with ATI Mobility Radeon 9600 graphics - can trigger an Explorer tailspin.
What I'm calling the "tailspin" is nothing new. What is very disturbing about this revelation, however, is that it can be triggered by nothing more than Microsoft's own operating system software and processes.
McAfee reports this exploit is being utilized in the wild, and Microsoft today issued its boilerplate language warning users not to open e-mail attachments they don't recognize.
KezNews Forum
News about Windows Vista, Longhorn, XP, Microsoft ..
Vista Can Be Taken Down by an Animated Cursor
Moderator: kez
6 posts • Page 1 of 1
Vista Can Be Taken Down by an Animated Cursor
by rosco4140 » Thu Mar 29, 2007 11:54 pm
-
rosco4140 - Posts: 61
- Joined: Sat Feb 24, 2007 2:57 am
- Location: U.S.A
MS You ass holes!! 
Proof
by Tomsee » Fri Mar 30, 2007 11:03 am
It proofs what a normal person would know nothing is save what is done by humans lol. Everytime when a new os comes from microsoft we got told its the most secure one, but we all know its not.
Thomas
Thomas
-
Tomsee - Posts: 3
- Joined: Mon Mar 12, 2007 10:55 am
- Location: Ireland
Is this the first exploit in Vista?
by rosco4140 » Fri Mar 30, 2007 2:24 pm
Technically, it does affect Vista. Is this the first exploit in Vista?
It's worth noting what exactly the mitigation is with Vista.
-This exploit will not work under IE7 on Vista.
-This exploit will not work under outlook 2007
-This exploit will work under Vista and MS-Mail if a message with the exploit is replied to or forwarded only.
-UAC would stop this attack from damaging the system itself, but user data could be compromised as it doesn't need admin access to do that.
It sounds like browsing could be an issue if using a 3rd party browser that doesn't run in the same protected space that IE7 runs in.
Considering I use IE7 and Outlook 2007, This vulnerability couldn't touch me, but I can see where it potentially be a problem with other users
It's worth noting what exactly the mitigation is with Vista.
-This exploit will not work under IE7 on Vista.
-This exploit will not work under outlook 2007
-This exploit will work under Vista and MS-Mail if a message with the exploit is replied to or forwarded only.
-UAC would stop this attack from damaging the system itself, but user data could be compromised as it doesn't need admin access to do that.
It sounds like browsing could be an issue if using a 3rd party browser that doesn't run in the same protected space that IE7 runs in.
Considering I use IE7 and Outlook 2007, This vulnerability couldn't touch me, but I can see where it potentially be a problem with other users
-
rosco4140 - Posts: 61
- Joined: Sat Feb 24, 2007 2:57 am
- Location: U.S.A
6 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests