- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
April 02, 2007 | Comments: (0)
ZERT patches MS cursor flaw
Microsoft may have promised that it will release a rare out of cycle patch for the recent flaw in Windows animated cursor (or ANI) files, but that's not soon enough for the folks at the Zero Day Emergency Response Team (ZERT), who announced Monday that they have a fix for the flaw that will protect users from circulating attacks.
News about the hole in Windows processing of ANI files surfaced last week, and by this weekend publicly available exploits had surfaced, as had reports of Web sites serving up attacks that target the vulnerable file type. That prompted Microsoft to announce late Sunday that it would break its typical patch cycle and release a fix for the ANI problem on Tuesday, a week ahead of its scheduled patch release on April 10.
ZERT, a group made up of security researchers, first began issuing its own patches for previously unknown and unpatched (or "zero day") holes in September, when it issued an unofficial fix for a hole in Windows processing of Vector Markup Language (VML) graphics.
The group decided to release the latest patch because it was concerned that previous patches of ANI problems by Microsoft were insufficient, and that a non-vendor patch from eEYE was too specific to the latest hole in ANI files, according to an message board post by Gadi Evron, a founding member of ZERT.
Although eEye has released a third-party patch that will prevent the latest exploit from working, it doesn't fix the flawed copy routine. It simply requires that any cursors loaded must reside within the Windows directory (typically C:⁄WINDOWS⁄ or C:⁄WINNT⁄). This approach should successfully mitigate most "drive-by's," code execution scenarios, but it might also break third-party applications that use animated cursors within their own program directories.
"For this reason, ZERT is releasing a patch which addresses the core of the vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk will be copied to the stack buffer, thus eliminating all potential exploit paths while maintaining compatibility with well-formatted animated cursor files," Evron wrote.
The Zert patch, which is available here, works on Windows 98, 2000, XP and Vista.
For its part, Microsoft has discouraged customers from using third party patches by eEYE or others. Customers are advised to tune their firewalls to spot known attacks and to make other configuration changes that will limit exposure until an official patch is available.
Posted by Paul Roberts on April 2, 2007 01:56 PM
RATE THIS ARTICLE:
-
- COMMENTS
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
ADDITIONAL RESOURCES
- Do you have the power to resolve technical issues with one call?
- Take control of your content- leverage Microsoft SharePoint
- Keeping the E-Mail Flowing
- Flexible, Scalable, Enterprise Storage for Virtual Infrastructures
- Virtual Servers Meet Virtual Storage
- Four Steps to Disaster Recovery and Business Continuity Using iSCSI
