MAJOR MS BOBO affects win2k,xp,vista

mitch · March 30, 2007, 08:56:09 PM

just got this from cert

National Cyber Alert System

Cyber Security Alert SA07-089A

Microsoft Windows ANI Vulnerability

Original release date: March 30, 2007
Last revised: March 30, 2007--
Source: US-CERT

Systems Affected

Microsoft Windows 2000, XP, Server 2003, and Vista are affected.
Affected applications include:

* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express
* Microsoft Windows Mail
* Microsoft Windows Explorer

Overview

A vulnerability exists in Microsoft Windows that could allow an
attacker to gain control of your computer.

Solution

Until updates are available, the following may reduce the chances of
successful exploitation:

Do not follow unsolicited or suspicious links
Do not click unsolicited links received in email, instant messages,
web forums, or internet relay chat (IRC) channels. Type URLs directly
into the browser to avoid these misleading links.

Do not open or read untrusted email

Do not open or read email that comes from unknown or untrusted
sources.

Description

A vulnerability exists in Microsoft Windows that could allow an
attacker to gain control of your computer. This vulnerability occurs
when Microsoft Windows processes malicious animated cursor files.

US-CERT is tracking this issue as VU#191609.

References

* US-CERT Technical Cyber Security Alert TA07-089A - <http://www.us-cert.gov/cas/techalerts/TA07-089A.html>

* Vulnerability Note VU#191609 - <http://www.kb.cert.org/vuls/id/191609>

* Microsoft Security Advisory (935423) - <http://www.microsoft.com/technet/security/advisory/935423.mspx>

* Unpatched Drive-By Exploit Found On The Web - <http://www.avertlabs.com/research/blog/?p=230>

* TROJ_ANICHMOO.AX - Description and Solution -<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/alerts/SA07-089A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "SA07-089A Feedback VU#191609" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Corrine · March 31, 2007, 04:54:29 PM

See the update at MSRC Blog

Corrine · April 02, 2007, 04:08:29 PM

Further update -- and its NOT an April Fools joke. MSRC Blog reported that due to the increased risk to customers from the latest attacks associated with the vulnerability in Windows animated cursor handling, described in Microsoft Security Advisory 935423, Microsoft has expedited testing to provide the April security update tomorrow, a week earlier than usual.

http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx

Frands · April 03, 2007, 08:08:51 PM

There is an update ready from Microsoft but there has been problems with with this update which cause following:
http://support.microsoft.com/kb/935448/en-us

Aaron Hulett · April 03, 2007, 10:26:27 PM

There's a Hotfix available from the Download Center to address the RealTek issue. It should only be installed if the issue is experienced after patching this:

MS07-017: Vulnerability in GDI could allow remote code execution
http://support.microsoft.com/kb/925902/

Corrine · April 04, 2007, 12:38:27 AM

Quote from: CorrineMicrosoft has expedited testing to provide the April security update tomorrow, a week earlier than usual.

Please also note the clarification in the MSRC Blog that today's release was expedited but information will be forthcoming on Thursday regarding update(s) for April 10.

Since you may miss these finer points in the MSRC Blog, I'll make a point of breaking down several important points:

This vulnerability affects all supported versions of Windows and Windows Server, including Windows Vista, and have been web-based and e-mail based. However:

If you are using Windows Vista, the Internet Explorer 7 protected mode provides additional protections against web-based attacks.
If you're using Outlook 2007, you're protected against e-mail based attacks.
Running as a standard user further protects you by limiting the attacker's code with the same limitation on the logged-on user.

:rose:

Frands · April 04, 2007, 11:06:03 AM

FYI:

QuoteThere has been some confusion around whether or not Vista is vulnerable to remote code execution.

http://www.avertlabs.com/research/blog/?p=245

Frands · April 04, 2007, 11:21:12 AM

Install this update to resolve an issue where the Realtek HD Audio Control Panel may not start after you install security update KB925902 (MS07-017) and security update KB928843 (MS07-008).
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=74ad4188-3131-429c-8fcb-f7b3b0fd3d86

Corrine · April 08, 2007, 12:40:10 AM

Christopher Budd posted an excellent follow up on the MSRC Blog. See http://blogs.technet.com/msrc/archive/2007/04/06/microsoft-knowledge-base-article-925902-updated.aspx