androidi wrote:


I have to say I'm puzzled by a) how they managed to get it to crash like that (assuming all default settings and considering MS quotes below) b) why the email html preview is affected but IE7 in protected mode is not? (why doesn't protected mode apply to email viewing, it's still html?)

Couple select quotes from http://www.microsoft.com/technet/security/advisory/935423.mspx


"Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode"

This one is weird:

"By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector"

So now viewing stuff in Word protects in this case? One would figure that Word would have more features and thus bugs.


"Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability"

Ouch. This one is surprising. I'd like to ask, how the hel* does the cursor get past that automatically or is there some user action still required?




It sounds like the bug works like this:

Animated cursors (*.ani) show a preview of the cursor as the icon in Windows Explorer.  So, when a malformed animated cursor is placed on the desktop (and probably any other folder), it causes Explorer to stop responding while it attempts to draw the animated cursor as the icon for the file.

There's no way this attack could be automated (unless your email client lets files automatically be downloaded to the desktop).  The cursor file could only end up on the desktop (triggering this bug) if the user decided to download the file, which could be an email attachment or a file downloaded from the web.  If it's in an email attachment, it doesn't matter whether you're using HTML mail or not, you can still download the attachment.

It all boils down to not downloading files from untrusted sources--  if you follow that rule, you're fine.

[edit] It appears that this can also be exploited when an HTML page includes a malformed cursor file as well...  that's why IE7 isn't affected in Protected Mode.  Word's HTML viewing prevents this bug from being exploited because it's not a full featured HTML viewer--  it can't use an animated cursor included in a webpage.