Jump to content
Tuts 4 You

Vista Can Be Taken Down By An Animated Cursor


undertaker

Recommended Posts

In what could be the most embarrassing exploit to impact Windows Vista since its commercial launch in January, security engineers at McAfee's Avert Labs confirmed today - and posted the video to prove - that the operating system can be caused to enter an interminable crash-restart-crash loop, by means of a buffer overflow triggered by nothing more than a malformed animated cursor file.

It isn't even a new exploit, as researchers with eEye discovered in January 2005. At that time, Microsoft acknowledged it affected versions of the operating system from the first edition of Windows 98 through to early releases of Windows XP, though it stated at the time XP SP1 was unaffected.

But apparently after researching field reports of limited attacks, Avert Labs discovered an apparently similar exploit using .ANI files impacts XP SP2 and Vista, as well as Windows 2000 SP4 and versions of Windows Server 2003 from the initial release through to SP1. Avert Labs stated XP SP1 and versions since were unaffected, though Microsoft warned the exploit does affect XP SP2.

If both firms' accounts are correct, Microsoft may have fixed the problem with XP SP1 in 2005, and inadvertently un-fixed it sometime afterward.

Avert Labs' video of the incident, posted to YouTube, shows a Vista system wherein the test file apparently trying to load the custom animated cursor. When the operating system detects a crash, it first tries to save vital data prior to a restart sequence - one of Vista's newer features. It then informs the user that Windows Explorer has crashed.

But in trying to restart Explorer, the restarting crashes itself, sending Vista into a tailspin from which the only escape appears to be the off button.

The mouse input routines in Windows are designed with the intention of being relatively failsafe. That's why when the system appears to hang, you can often still move your mouse pointer. As I've personally witnessed on many occasions with Windows XP, it's possible for a smaller OEM's mouse driver - often an unsigned one - to trigger a similar tailspin loop that crashes Windows Explorer repeatedly. In Windows, a lot depends on the mouse pointer's very existence.

So if a customization feature can impact the mouse pointer's ability to function, the integrity of the entire system can be jeopardized. With my own systems, drivers and services that are unfriendly to one another - such as Stardock's CursorXP animation program trying to co-exist with a Synaptics Pointing Device driver on a notebook with ATI Mobility Radeon 9600 graphics - can trigger an Explorer tailspin.

What I'm calling the "tailspin" is nothing new. What is very disturbing about this revelation, however, is that it can be triggered by nothing more than Microsoft's own operating system software and processes.

McAfee reports this exploit is being utilized in the wild, and Microsoft today issued its boilerplate language warning users not to open e-mail attachments they don't recognize.

http://www.betanews.com/article/Vista_Can_Be_Taken_Down_by_an_Animated_Cursor/1175201875
Link to comment
If both firms' accounts are correct, Microsoft may have fixed the problem with XP SP1 in 2005, and inadvertently un-fixed it sometime afterward.

As far as exploits go, this is a pretty funny one. I wonder how many other 'critical' iss ues have been unfixed!

Link to comment

The exploit is already fixed. Afaik, Microsoft hasn't released a fix their selves yet.

So you have to go by third part software.

Link to comment

Patch fix

http://www.eeye.com/html/research/tools/WindowsANIZeroDayPatchSetup.exe

Source

http://research.eeye.com/html/research/tools/WindowsANIZeroDayPatchSource.txt
Link to comment
  • 2 weeks later...
Guest ToToRoYN

Here is one that came across my desk recently.

Last week, the media went schizophrenic over the Windows Vista speech recognition
Edited by ToToRoYN
Link to comment
Guest ToToRoYN

And here is another one, just for fun. I think these people have the right idea about some of the ridiculous "exploit" claims people come up with.

This week, two top Swedish security experts only to be named
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...