Channel 9 Forums - Coffeehouse - Crashes with animated cursors. What the hell?

Coffeehouse - Crashes with animated cursors. What the hell?

YearOfTheLinuxDesktop — Fri, 30 Mar 2007 08:33:23 GMT

Don't drag&drop an animated cursor over me, I could stop responding!

Coffeehouse - Crashes with animated cursors. What the hell?

Ray6 — Fri, 30 Mar 2007 10:30:36 GMT

YearOfTheLinuxDesktop wrote:

Don't drag&drop an animated cursor over me, I could stop responding!

Well that is quite simply .... unbelievable.

So a drive-by click managed to crash Vista?

So what happened to all that stuff about a vulnerability not propogating down through the layers?

Unbelievable, but I think I already said that.

Coffeehouse - Crashes with animated cursors. What the hell?

androidi — Fri, 30 Mar 2007 17:04:57 GMT

I have to say I'm puzzled by a) how they managed to get it to crash like that (assuming all default settings and considering MS quotes below) b) why the email html preview is affected but IE7 in protected mode is not? (why doesn't protected mode apply to email viewing, it's still html?)

Couple select quotes from http://www.microsoft.com/technet/security/advisory/935423.mspx

"Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode"

This one is weird:

"By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector"

So now viewing stuff in Word protects in this case? One would figure that Word would have more features and thus bugs.

"Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability"

Ouch. This one is surprising. I'd like to ask, how the hel* does the cursor get past that automatically or is there some user action still required?

Coffeehouse - Crashes with animated cursors. What the hell?

harumscarum — Fri, 30 Mar 2007 17:08:26 GMT

I hope c9 doesnt start using animated cursors.

Coffeehouse - Crashes with animated cursors. What the hell?

JonathonW — Fri, 30 Mar 2007 17:52:18 GMT

androidi wrote:

I have to say I'm puzzled by a) how they managed to get it to crash like that (assuming all default settings and considering MS quotes below) b) why the email html preview is affected but IE7 in protected mode is not? (why doesn't protected mode apply to email viewing, it's still html?)

Couple select quotes from http://www.microsoft.com/technet/security/advisory/935423.mspx

"Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode"

This one is weird:

"By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector"

So now viewing stuff in Word protects in this case? One would figure that Word would have more features and thus bugs.

"Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability"

Ouch. This one is surprising. I'd like to ask, how the hel* does the cursor get past that automatically or is there some user action still required?

It sounds like the bug works like this:

Animated cursors (*.ani) show a preview of the cursor as the icon in Windows Explorer. So, when a malformed animated cursor is placed on the desktop (and probably any other folder), it causes Explorer to stop responding while it attempts to draw the animated cursor as the icon for the file.

There's no way this attack could be automated (unless your email client lets files automatically be downloaded to the desktop). The cursor file could only end up on the desktop (triggering this bug) if the user decided to download the file, which could be an email attachment or a file downloaded from the web. If it's in an email attachment, it doesn't matter whether you're using HTML mail or not, you can still download the attachment.

It all boils down to not downloading files from untrusted sources-- if you follow that rule, you're fine.

[edit] It appears that this can also be exploited when an HTML page includes a malformed cursor file as well... that's why IE7 isn't affected in Protected Mode. Word's HTML viewing prevents this bug from being exploited because it's not a full featured HTML viewer-- it can't use an animated cursor included in a webpage.

Coffeehouse - Crashes with animated cursors. What the hell?

androidi — Fri, 30 Mar 2007 19:44:04 GMT

CannotResolveSymbol wrote:

[edit] It appears that this can also be exploited when an HTML page includes a malformed cursor file as well... that's why IE7 isn't affected in Protected Mode. Word's HTML viewing prevents this bug from being exploited because it's not a full featured HTML viewer-- it can't use an animated cursor included in a webpage.

"Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability"

Assuming you're right it still doesn't explain the above quote. How come Word's HTML viewing prevents but a plain text (no html parsing) doesn't? It just doesn't make any sense assuming the bug can be exploited just by opening the mail in plain text and not clicking some .ani attachment or stuff.

Coffeehouse - Crashes with animated cursors. What the hell?

YearOfTheLinuxDesktop — Fri, 30 Mar 2007 20:34:22 GMT

an unofficial patch for this bug came out just today.

Coffeehouse - Crashes with animated cursors. What the hell?

Cybermagellan — Fri, 30 Mar 2007 21:58:30 GMT

if I remember the article it says that it's a malformed ani file. So the file is corrupt in the first place.

Coffeehouse - Crashes with animated cursors. What the hell?

Lazycoder2 — Fri, 30 Mar 2007 22:06:01 GMT

Man, if you can't trust the little walking dinosaur and the drum to not crash your machine, who can you trust?

Coffeehouse - Crashes with animated cursors. What the hell?

Bas — Mon, 02 Apr 2007 08:47:08 GMT

Well, looks like the patch is getting released early.