


                                                   JPCERT-AT-2007-0008
                                                             JPCERT/CC
                                March 30, 2007 (Original release date)
                                         April 11, 2007 (Last revised)

                  <<< JPCERT/CC Alert 2007-03-30 >>>

          Vulnerability in Processing Windows Animated Cursor

             http://www.jpcert.or.jp/at/2007/at070008.txt

I. Overview

  Microsoft has released a security advisory regarding a vulnerability
in animated cursor handling which remains unfixed. Animated cursors
are a feature that allows a series of frames to appear at the mouse
pointer location instead of a single image, thus producing a short
loop of animation.

  Exploitation of this vulnerability could allow a remote attacker to
execute arbitrary code. Actually, attacks exploiting this
vulnerability have been confirmed, but they are targeted attacks that
aim at specific targets.

    Microsoft Security Advisory (935423)
    Vulnerability in Windows Animated Cursor Handling
    http://www.microsoft.com/japan/technet/security/advisory/935423.mspx


II. Systems Affected

  According to Microsoft, the following systems are affected:

  Microsoft Windows 2000 Service Pack 4
  Microsoft Windows XP Service Pack 2
  Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
  Microsoft Windows XP Professional x64 Edition
  Microsoft Windows Server 2003
  Microsoft Windows Server 2003 for Itanium-based Systems
  Microsoft Windows Server 2003 Service Pack 1
  Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  Microsoft Windows Server 2003 x64 Edition
  Microsoft Windows Vista


III. Solution

  As of March 30, 2007, Microsoft has not released any security
updates for this vulnerability.

*** Update: Added on April 4, 2007 ***********************************

  On April 4, 2007 (JST), Microsoft released security updates. For
more information, refer to the following vendor's website:

    Microsoft Security Bulletin MS07-017
    Vulnerabilities in GDI Could Allow Remote Code Execution (925902)
      (MS07-017)
    http://www.microsoft.com/japan/technet/security/bulletin/ms07-017.mspx

**********************************************************************


IV. Workarounds

  For detailed information on workarounds, refer to the advisories
released by Microsoft. As information on workarounds and solutions is
subject to review, users should check the latest versions.

    Microsoft Security Advisory (935423)
    Vulnerability in Windows Animated Cursor Handling
    http://www.microsoft.com/japan/technet/security/advisory/935423.mspx

  According to the reports from multiple security vendors, this
vulnerability does not affect systems running Mozilla Firefox.

*** Update: Added on April 11, 2007 **********************************
  
  It was confirmed that systems running Mozilla Firefox are also
affected by this vulnerability. Users are recommended to apply the
security updates released by Microsoft regardless of the browser used.

**********************************************************************


V. Reference Information

    JP Vendor Status Notes JVNVU#191609
    Microsoft Windows animated cursor ANI header stack buffer overflow
    http://jvn.jp/cert/JVNVU%23191609/index.html

    US-CERT Vulnerability Note VU#191609
    Microsoft Windows animated cursor ANI header stack buffer overflow
    http://www.kb.cert.org/vuls/id/191609

    CERT/CC Current Activity Archive
    Active Exploitation of an Unpatched Vulnerability in Microsoft
      Windows ANI Handling
    http://www.us-cert.gov/current/archive/2007/03/29/archive.html#WINANI

    @police
    Vulnerability in Microsoft Windows Animated Cursor Handling
      (March 30)
    http://www.cyberpolice.go.jp/important/2007/20070330_092644.html

*** Update: Added on April 4, 2007 ******************************************

    US-CERT Technical Cyber Security Alert TA07-089A
    Microsoft Windows Animated Cursor Buffer Overflow
    http://www.us-cert.gov/cas/techalerts/TA07-089A.html 

    US-CERT Technical Cyber Security Alert TA07-093A
    Microsoft Update for Windows Animated Cursor Vulnerability
    http://www.us-cert.gov/cas/techalerts/TA07-093A.html 

*********************************************************************


  If you have any information regarding this matter, please contact
us.

__________

Revision History
March 30, 2007   Initial release
April 4, 2007    Added information on the release of security updates
                 for this vulnerability
                 Added reference information URLs
April 11, 2007   Corrected the description of the impact on Mozilla Firefox

======================================================================
JPCERT Coordination Center (JPCERT/CC)
TEL: 03-3518-4600  FAX: 03-3518-4602
http://www.jpcert.or.jp/