Coffeehouse Thread

10 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Crashes with animated cursors. What the hell?

Back to Forum: Coffeehouse
  • User profile image
    YearOfThe​LinuxDesktop
  • User profile image
    Ray6

    YearOfTheLinuxDesktop wrote:


    Well that is quite simply .... unbelievable.

    So a drive-by click managed to crash Vista?

    So what happened to all that stuff about a vulnerability not propogating down through the layers?

    Unbelievable, but I think I already said that.

  • User profile image
    androidi

    I have to say I'm puzzled by a) how they managed to get it to crash like that (assuming all default settings and considering MS quotes below) b) why the email html preview is affected but IE7 in protected mode is not? (why doesn't protected mode apply to email viewing, it's still html?)

    Couple select quotes from http://www.microsoft.com/technet/security/advisory/935423.mspx


    "Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode"

    This one is weird:

    "By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector"

    So now viewing stuff in Word protects in this case? One would figure that Word would have more features and thus bugs.


    "Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability"

    Ouch. This one is surprising. I'd like to ask, how the hel* does the cursor get past that automatically or is there some user action still required?


  • User profile image
    harumscarum

    I hope c9 doesnt start using animated cursors.

  • User profile image
    Cannot​Resolve​Symbol

    androidi wrote:
    

    I have to say I'm puzzled by a) how they managed to get it to crash like that (assuming all default settings and considering MS quotes below) b) why the email html preview is affected but IE7 in protected mode is not? (why doesn't protected mode apply to email viewing, it's still html?)

    Couple select quotes from http://www.microsoft.com/technet/security/advisory/935423.mspx


    "Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode"

    This one is weird:

    "By default, Outlook 2007 uses Microsoft Word to display e-mail messages which protects customers from the HTML e-mail preview and attack vector"

    So now viewing stuff in Word protects in this case? One would figure that Word would have more features and thus bugs.


    "Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability"

    Ouch. This one is surprising. I'd like to ask, how the hel* does the cursor get past that automatically or is there some user action still required?




    It sounds like the bug works like this:

    Animated cursors (*.ani) show a preview of the cursor as the icon in Windows Explorer.  So, when a malformed animated cursor is placed on the desktop (and probably any other folder), it causes Explorer to stop responding while it attempts to draw the animated cursor as the icon for the file.

    There's no way this attack could be automated (unless your email client lets files automatically be downloaded to the desktop).  The cursor file could only end up on the desktop (triggering this bug) if the user decided to download the file, which could be an email attachment or a file downloaded from the web.  If it's in an email attachment, it doesn't matter whether you're using HTML mail or not, you can still download the attachment.

    It all boils down to not downloading files from untrusted sources--  if you follow that rule, you're fine.

    [edit] It appears that this can also be exploited when an HTML page includes a malformed cursor file as well...  that's why IE7 isn't affected in Protected Mode.  Word's HTML viewing prevents this bug from being exploited because it's not a full featured HTML viewer--  it can't use an animated cursor included in a webpage.

  • User profile image
    androidi

    CannotResolveSymbol wrote:
    
    [edit] It appears that this can also be exploited when an HTML page includes a malformed cursor file as well...  that's why IE7 isn't affected in Protected Mode.  Word's HTML viewing prevents this bug from being exploited because it's not a full featured HTML viewer--  it can't use an animated cursor included in a webpage.


    "Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability"

    Assuming you're right it still doesn't explain the above quote. How come Word's HTML viewing prevents but a plain text (no html parsing) doesn't? It just doesn't make any sense assuming the bug can be exploited just by opening the mail in plain text and not clicking some .ani attachment or stuff.

  • User profile image
    YearOfThe​LinuxDesktop

    an unofficial patch for this bug came out just today.

  • User profile image
    Cybermagell​an

    if I remember the article it says that it's a malformed ani file. So the file is corrupt in the first place.

  • User profile image
    Lazycoder2

    Man, if you can't trust the little walking dinosaur and the drum to not crash your machine, who can you trust?

  • User profile image
    Bas

    Well, looks like the patch is getting released early.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.