Security Researchers Say Windows .ANI Problem Surfaced Two Years Ago - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Security Researchers Say Windows .ANI Problem Surfaced Two Years Ago

The Windows .ANI bug that has plagued users for the past week is nearly the exact same problem Microsoft had to patch two years ago, security experts say.

Security researchers say the Windows .ANI bug that has been plaguing users for the past week first surfaced -- and was patched -- in early 2005.

Microsoft, however, says the .ANI vulnerability found this year is different from the one found years ago. But some security experts say it's the same mistake in the same process, and they're questioning how Microsoft could have missed it.

"If they had simply looked for other references for the same piece of code when they originally dealt with it a few years ago, they would have found this and patched it in 2005," said Craig Schmugar, a threat researcher with McAfee. "It would have saved a whole lot of people a lot of time, money, and effort."

Microsoft declined a telephone interview for this story, but a spokesman did e-mail InformationWeek to say that while the two vulnerabilities are both related to cursor and icon format handling, each vulnerability is unique.

The .ANI vulnerability involves the way Windows handles animated cursor files. It's a buffer overflow problem. The flaw, which affects all recent Windows releases, including Windows Vista, could enable a hacker to remotely take control of an infected system. Internet Explorer is the main attack vector for the exploits. Researchers concluded this week that Mozilla's open source browser Firefox also is at risk, though exploits haven't been focusing on it.

While Determina researchers had alerted Microsoft about the current vulnerability in December, the company still hadn't pulled together a patch for it before the exploits came out more than three months later. Once the exploits hit toward the end of March, Microsoft said it had nearly 100 technicians working around the clock for several days to get an emergency patch ready. It was shipped April 3.

Security researchers say the release of a patch won't stop the exploits. It won't even slow them down. In just a matter of days, analysts at Websense, a security company, found more than 700 Web sites that are spreading the .ANI exploit. Researchers also have found an exploit being sent out in a spam campaign that was luring users to malicious Web sites with promises of pictures of a naked Britney Spears. Automated toolkits began popping up online to let even lesser hackers build their own exploit malware.

Researchers at eEye Digital Security found a .ANI flaw in Microsoft's Windows back in 2004 and reported it to the company, said Andre Protas, a director at eEye, in an interview. Microsoft released a patch for it on Jan. 11, 2005.

Like today, that .ANI bug resulted in a lot of exploits and trouble for IT managers. McAfee's Schmugar said the .ANI exploits spent quite a bit of time in his company's top-five exploit list. The exploits, then as today, were transport mechanisms for a variety of malware that infected users' computers.

Both vulnerabilities received a critical rating.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll