Published: 2007-04-01T02:57+00:00
Last Updated: 2007-04-19T19:03+00:00
TRTA07-089A
Microsoft Windows ANI header stack buffer overflow
Overview
An unpatched buffer overflow vulnerability in the way Microsoft Windows handles animated cursor files is actively being exploited.
Event Information
| Date (UTC) | Description |
| 2007-04-17 18:10 |
SANS Internet Storm Center New variant of ANI (MS07-017) exploit |
| 2007-04-06 03:23 |
Symantec ThreatCON (2) => (1) |
| 2007-04-05 15:00 |
Internet Security Systems AlertCon (2) => (1) |
| 2007-04-04 00:42 |
JPCERT/CC JPCERT-AT-2007-0008: Vulnerability in Processing Windows Animated Cursor |
| 2007-04-03 19:48 |
US-CERT TA07-093A: Microsoft Update for Windows Animated Cursor Vulnerability Via US-CERT Mailing List |
| 2007-04-03 19:00 |
US-CERT Microsoft Releases Security Bulletin to Patch Animated Cursor Vulnerability Microsoft has released updates to address several vulnerabilities in Microsoft Windows as part of Microsoft Security Bulletin MS07-017. |
| 2007-04-03 |
Microsoft Microsoft Security Bulletin MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902) Security Bulletin published. |
| 2007-04-03 |
Bugtraq MS Windows Animated Cursor (.ANI) Universal Exploit Generator Vulnerability Proof Of Concept (CVE-2007-0038) #Cid: Uniwersal_Exp_Gen-ie_ani.tar.gz #Cid: 04032007-ie_ani.tar.gz |
| 2007-04-03 |
Microsoft Microsoft Security Advisory (935423): Vulnerability in Windows Animated Cursor Handling Animated Cursor Vulnerability(CVE-2007-0038) Microsoft has completed the investigation into a public report of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. We have issued MS07-017 to address this issue. |
| 2007-04-03 |
SANS Internet Storm Center INFOCon (2) => (1) |
| 2007-04-02 17:06 |
Internet Security Systems AlertCon (1) => (2) Our analysts have observed an increase in the level of active exploitation of the Microsoft ANI vulnerability. We continue to encourage our members to review the associated Microsoft Security Advisory (935423) to obtain workaround information. |
| 2007-04-01 05:20 |
Microsoft Security Response Center Blog Latest on security update for Microsoft Security Advisory 935423 We have some new information tonight on the status of the security update that we're working on that addresses the vulnerability in Windows Animated Cursor Handling. From our ongoing monitoring of the situation, we can say that over this weekend attacks against this vulnerability have increased somewhat. Additionally, we are aware of public disclosure of proof-of-concept code. In light of these points, and based on customer feedback, we have been working around the clock to test this update and are currently planning to release the security update that addresses this issue on Tuesday April 3, 2007. |
| 2007-04-01 |
Symantec W32.Fubalca Exploit for CVE-2007-0038 |
| 2007-04-01 |
Bugtraq MS Windows Animated Cursor (.ANI) Remote Exploit (eeye patch bypass) Vulnerability Proof Of Concept (CVE-2007-0038) #Cid: 04012007-exp.zip #Tested: Windows Vista Enterprise Version 6.0 (Build 6000) #Tested: Windows Vista Ultimate Version 6.0 (Build 6000) #Tested: Windows XP SP2 |
| 2007-04-01 |
Bugtraq MS Windows XP Animated Cursor (.ANI) Remote Overflow Exploit 2 Vulnerability Proof Of Concept (CVE-2007-0038) #Cid: 04012007-ani.zip #Tested: Windows XP SP2 + IE 6 SP2 |
| 2007-04-01 |
Bugtraq MS Windows XP/Vista Animated Cursor (.ANI) Remote Overflow Exploit Vulnerability Proof Of Concept (CVE-2007-0038) #Cid: 04012007-Animated_Cursor_Exploit.zip #Tested: Windows Vista Enterprise Version 6.0 (Build 6000) #Tested: Windows Vista Ultimate Version 6.0 (Build 6000) #Tested: Windows XP SP2 |
| 2007-03-31 21:15 |
SANS Internet Storm Center Chinese Internet Security Response Team Reports ANI Worm The Chinese Internet Security Response Team reports the detection of an worm-like payload installed using the ANI-exploit. |
| 2007-03-31 14:31 |
SANS Internet Storm Center ANI exploit code drives INFOCon to Yellow INFOCon (1) => (2) The ANI vulnerability has been been of recent concern. I've been waiting for a few key events to be confirmed before adjusting the INFOCon. We don't take these decisions lightly. |
| 2007-03-31 10:45 |
Chinese Internet Security Response Team New worm use the .ani zero day vulnerability It's a bad news that the Windows Animated Cursor Handling zero-day vulnerability has been used by malwares in China now. We have received this kind of new worm today. It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link. |
| 2007-03-31 05:19 |
Bugtraq Windows .ANI Stack Overflow Exploit Vulnerability Proof Of Concept (CVE-2007-1765) NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred. #Cid: 23194.c |
| 2007-03-31 |
SANS Internet Storm Center ANI: It Gets Better |
| 2007-03-30 18:47 |
US-CERT TA07-089A: Microsoft Windows ANI header stack buffer overflow Via US-CERT Mailing List |
| 2007-03-30 05:53 |
Determina Vulnerability In Windows Animated Cursor Handling In December 2006, Determina announced that it had found a number of new vulnerabilities affecting Microsoft Windows and related products. These were privately reported to Microsoft by Determina and no public information was released on how to exploit these vulnerabilities. |
| 2007-03-30 03:14 |
JPCERT/CC JPCERT-AT-2007-0008: Vulnerability in Processing Windows Animated Cursor |
| 2007-03-30 |
SANS Internet Storm Center Detecting and filtering out windows animated cursor exploitation attempts The Chinese Internet Security Response Team reports the detection of an worm-like payload installed using the ANI-exploit. |
| 2007-03-30 |
SANS Internet Storm Center Ani cursor exploits against Microsoft E-mail clients - CVE-2007-0038 A short overview of how the different email clients (in the supported list of Microsoft) are reacting to the animated cursor vulnerability (CVE-2007-0038, previously also CVE-2007-1765) depending on the actions and settings of the email client. |
| 2007-03-30 |
Internet Security Systems Microsoft Windows Animated Cursor (ANI) Code Execution Microsoft Windows could allow a remote attacker to execute arbitrary code on the system caused by improper handling of malformed cursors, animated cursors or icons. |
| 2007-03-29 19:00 |
Symantec ThreatCON (1) => (2) |
| 2007-03-29 13:00 |
US-CERT Active Exploitation of an Unpatched Vulnerability in Microsoft Windows ANI Handling US-CERT is aware of a new, unpatched vulnerability in Microsoft Windows that could allow an attacker to execute arbitrary code. This vulnerability is caused by Windows failing to properly handle specially crafted animated cursor (ANI) files. |
| 2007-03-29 |
Microsoft Microsoft Security Advisory (935423): Vulnerability in Windows Animated Cursor Handling Animated Cursor Vulnerability(CVE-2007-0038) Advisory published. |
| 2007-03-28 22:44 |
McAfee Unpatched Drive-By Exploit Found On The Web |
| 2007-03-28 |
McAfee Exploit-ANIfile.c Exploit for CVE-2007-0038 |
| 2007-03-28 |
Trend Micro TROJ_ANICMOO.AX Exploit for CVE-2007-0038 |
| 2006-12-20 |
Determina Windows Animated Cursor Stack Overflow Vulnerability Determina Security Research has discovered a vulnerability in the USER32.DLL code responsible for loading animated cursor (.ANI) files. This vulnerability can be exploited by a malicious web page or HTML email message and results in remote code execution with the privileges of the logged-in user. |