If there’s a hole to be found in Windows, the bad guys will find it, and the latest one is definitely unique. A vulnerability in all versions of Windows, including Vista, has been found in how the operating systems handle animated cursors, according to a Microsoft security advisory.
The exploit works either by a Web page or e-mail message that contain the malicious code. One need not even open an e-mail, merely previewing it would be enough for the code to be executed.
This would allow for what’s called a “drive-by installation,” where code is installed on the user’s computer without them even knowing it. The computer could then become part of a botnet
“This is one of the more serious ones as this allows remote code execution,” Don Leatham, director of solutions and strategy at PatchLink told internetnews.com. “The key thing here is to look at email policy and enforce plain text email within Outlook and ensure scripting is turned off in Web browsers and users are advised not to visit unknown or untrusted Web sites. Because this is an application-based vulnerability impact it can affect systems running a wide range of operating systems including Vista.”
Warnings have been posting on Microsoft’s Security Advisory site as well as McAfee’s Avert Labs. Avert said it has found samples of the virus “in the wild,” meaning on the Internet.
Microsoft has added detection of the virus to its Windows Live OneCare scanner, and McAfee has updated VirusScan to detect it as well.
Animated cursors are simple animations of the mouse pointer, such as the rotating hour glass. These animations use files with a .ani suffix, but the attack is not limited to just .ani files, so blocking them won’t be enough, according to the Microsoft alert.
While it does affect all flavors of Windows, even Vista, Microsoft said customers who are using Internet Explorer 7 on Windows Vista have some mitigation due to IE 7’s protected mode. There is no word from Microsoft on how this affects Firefox.