Vulnerability Note VU#191609
Microsoft Windows animated cursor ANI header stack buffer overflow
Microsoft Windows contains a stack buffer overflow in the handling of
animated cursor files. This vulnerability may allow a remote attacker
to execute arbitrary code or cause a denial-of-service condition.
Animated cursor files (.ani) contain animated graphics for icons and
cursors. A stack buffer overflow vulnerability exists in the way that
Microsoft Windows processes malformed animated cursor files.
Microsoft Windows fails to properly validate the size specified in the
ANI header. Note that Windows Explorer will process ANI files with
several different file extensions, such as .ani, .cur, or .ico.
Note that animated cursor files are parsed when the containing folder
is opened or it is used as a cursor. In addition, Internet Explorer
can process ANI files in HTML documents, so web pages and HTML email
messages can also trigger this vulnerability.
More information on this vulnerability is available in Microsoft
Security Advisory (935423).
This vulnerability is being actively exploited.
A remote, unauthenticated attacker may be able to execute arbitrary
code or cause a denial-of-service condition.
We are unaware of a practical solution to this vulnerability. Until a
fix is available, the following workarounds may reduce the chances of
Configure Outlook to display messages in plain text.
An attacker may be able to exploit this vulnerability by convincing a
user to display a specially crafted HTML email. This can happen
automatically if the preview pane is enabled in your mail client.
Configuring Outlook to display email in plain text can help prevent
exploitation of this vulnerability through email. Consider the
security of fellow Internet users and send email in plain text format
Note: The Outlook Express option for displaying messages in plain
text will not prevent exploitation of this vulnerability. This
workaround is only viable for systems with Microsoft Outlook.
Disable preview pane.
By disabling the preview pane in your mail client, incoming email
messages will not be automatically rendered. This can help prevent
exploitation of this vulnerability.
Configure Windows Explorer to use Windows Classic Folders
When Windows Explorer is configured to use the "Show common tasks in
folders" option, HTML within a file may be processed when that file
is selected. If the "Show common tasks in folders" is enabled,
selecting a specially crafted HTML document in Windows Explorer may
trigger this vulnerability. Note that the "Show common tasks in
folders" is enabled by default. To mitigate this attack vector,
enable the "Use Windows classic folders" option. To enable this
option in Windows Explorer:
* Open Windows Explorer
* Select Folder Options from the Tools menu
* Select the "Use Windows classic folders" option in the Tasks section
Do not follow unsolicited links.
In order to convince users to visit their sites, attackers often use
URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do not
click on unsolicited links received in email, instant messages, web
forums, or internet relay chat (IRC) channels. Type URLs directly into
the browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.
Vendor Status Date Updated
Microsoft Corporation Vulnerable 29-Mar-2007
This vulnerability was reported by McAfee.
This document was written by Jeff Gennari and Will Dormann.
Date Public 03/29/2007
Date First Published 03/29/2007 02:23:30 PM
Date Last Updated 03/30/2007
CVE Name CVE-2007-0038
Document Revision 27
Produced 2007 by US-CERT, a government organization