About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Unpatched Drive-By Exploit Found On The Web

Wednesday, March 28, 2007 at 4:44pm by Craig Schmugar
Craig Schmugar

Several of my posts over the last few months have centered around very targeted zero-day attacks.  This post covers an exploit that McAfee researchers discovered in the field, posted to a message board.  That posting was simply a proof of concept; however McAfee Avert Labs has since received a malicious sample as well.  It is quite likely that similar exploits targeting this vulnerability are currently being used in other attacks on the web.

Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack.  Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0.  Exploitation happens completely silently.

The vulnerability lies in the handling of malformed ANI files.  Known exploits download and execute arbitrary exe files.  This vulnerability is reminiscent of MS05-002.

More information will be posted as it becomes available.

Update March 29 @ Noon
Additional information has been posted here:
http://www.labs.com/research/blog/?p=233

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (14)

  • klimklim September 24, 2009 1:11AM

    According to this Secunia advisory from today and the Mcafee advisory form March 28 (also found on Microsofts site), the animated cursor found in pretty much any Microsoft OS (XP, VISTa, 2000, 2003), can be used to exploit the machine?

    Reply
  • Christian louboutin August 31, 2009 12:48AM

    According to this Secunia advisory from today and the Mcafee advisory form March 28 (also found on Microsofts site), the animated cursor found in pretty much any Microsoft OS (XP, VISTa, 2000, 2003), can be used to exploit the machine?

    Reply
  • Nathan Champaigne April 2, 2009 9:12AM

    I think I have discovered a virus behaving as the wga updater. It came up on reboot before the system tray items executed and looked and behaved like Windows Genuine advantage at first and it asked me to initiate it’s procedure. It started the language bar up again which was unusual, and then it halted it’s processes. Since I have my servers and sharing, and even remote registry services shut down, I assume it was a virus plugin which started the Chinese language font up which I have explicitly removed from my system. The false WGA notification program was also was trying to initiate servers and other resident services just before it hung. I canceled and then it then warned me that WGA notification could not be installed, (bullshit) I went to Microsoft’s update site and initiated updates, which worked just fine, else the WGA would have been valid!

    Reply
  • Jim February 11, 2009 10:23PM

    I’m using Firefox but haven’t had this problem, ill be sure to keep a lookout.

    Reply
  • Akif June 2, 2008 3:52PM

    While disabling active-scripting would work on some attacks, it would not work on all of them.

    http://www.bencehersey.net

    Reply
  • jokes June 4, 2007 8:03PM

    Windows XP is not good

    Reply
  • Russell Olson April 2, 2007 7:49AM

    I had a problem with my home computer which has McAfee and it said I needed to down load a file from Microsoft to have the McAfee update work. I went to the web site that looked like a MS site and downloaded a 23 or 24 MB file. When I did that my cursor locked in the center of the screen and was unresponsive. I restarted my computer and the cursor is locked in the center of the screen and the keyboard does nothing. Is this the ANI? How do I repair the problem?

    Reply
  • Hilary Ward March 31, 2007 11:25AM

    Could this be the reason why my hard drive gave up the ghost and was totally corrupted after a McAfee update & restart on Wednesday 28th?

    Reply
  • Craig Schmugar March 30, 2007 1:48PM

    Re: Ross & disabling active-scripting…

    While disabling active-scripting would work on some attacks, it would not work on all of them. Scripting is not a requirement for this attack to succeed.

    Reply
  • Craig Schmugar March 30, 2007 1:46PM

    In response to Jeff & VSE & scanning RTF files…

    RTF decomposition is handled in the scan engine and has been for as long as I can remember. Therefore all McAfee products that use the AV scan engine are able to “look inside” such RTFs.

    Reply
  • Ross March 30, 2007 12:33AM

    Anybody know if turning off active-scripting is a viable way of protecting yourself from this vulnerability?

    Our company doesn’t allow scripts to execute from non-trusted sites, and we block file attachments, but this vulnerability appears to bypass even these defenses.

    Reply
  • Dirk Bossard March 29, 2007 6:00PM

    Run Cayman browser,with Sandboxie wrapped around it. This seems to make web surfing a treat.

    Reply
  • Jeff March 29, 2007 8:31AM

    Can you comment on the following article. Specifically if VirusScan enterprise is capable of effectively scanning RTF files for this sort of vulnerability. I understand that it may take you some time to develop signature for the vulnerability, but can VirusScan actually effectively look inside of RTF files and scan embedded objects?

    http://isc.sans.org/diary.html?storyid=2528

    Thanks,
    Jeff

    Reply
  • Alexander Sotirov March 29, 2007 1:25AM

    This is probably related to the vulnerability I discovered and reported to Microsoft in December of last year. It was assigned CVE-2007-0037 and is described in more detail on our zero-day page: http://www.determina.com/security_center/zero_day.asp

    If this is indeed the same issue, Internet Explorer 6, 7 and Firefox are vulnerable on all platforms, including Vista.

    Reply