Alias(es)MS.Windows.User32.DLL.ANI.Stack.Overflow.B, Windows.User32.DLL.ANI.Stack.Overflow, MS.Windows.User32.DLL.ANI.Stack.Overflow.C |
Release DateSep 11, 2006 |
Severitycritical |
ImpactSystem compromise: remote code execution. |
DescriptionThis indicates a attempt to exploit a stack based buffer overflow vulnerability in the ANI handler of Microsoft Windows.ANI files (Animated curser files) can be used by Internet Explorer and other applications which use IE components internally, such as Outlook, Outlook Express, MS office and Windows shell. Due to insufficient sanitization of the AnimationHeaderBlock length field of ANI files by USER32.DLL, an attacker may craft a malformed ANI file and send it to a victim via email or URL link. Once the victim opens the malformed ANI file it can overwrite the stack return address and execute arbitrary code, which is embedded in the ANI file, on an affected system. The affected system will be compromised for further attacks to the extent of the victim's rights on the system. |
Affected ProductsMicrosoft Windows 2000 Service Pack 4Microsoft Windows XP Service Pack 2 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Microsoft Windows Vista |
Recommended ActionsMicrosoft released Security Bulletin MS05-002 to handle this issue. However it didn't resolve it completely, so Microsoft released a new Security Bulletin MS07-017 for it. Please apply this patch. |
Coverage IPS
VCM |
Common Vulnerabilities and Exposures (CVE)CVE-2007-0038CVE-2005-0416 |
Reference/shttp://technet.microsoft.com/en-us/security/bulletin/MS07-017.mspx (MS-ID)http://www.securityfocus.com/bid/23194 (BugTraq) http://www.determina.com/security.research/vulnerabilities/ani-header.html http://research.eeye.com/html/advisories/published/AD20050111.html http://www.securityfocus.com/bid/12233 (BugTraq) http://technet.microsoft.com/en-us/security/bulletin/ms05-002.mspx (MS-ID) |
