Jump to content

WARNING: The ani cursor exploit works in Win9x too!

RJARRRPCGP

By RJARRRPCGP
in Windows 9x/ME

 Share

Recommended Posts


the xt guy

the xt guy

Posted
Posted (edited)

W've all by now heard about the Windows .ani cursor exploit. Microsoft is calling this not merely a 'critical' update but an 'extremely critical' update.

Since all support for Win 98 and ME ended last June, I obviously didn't expect to see either one of these O/S lsted as vulnerable, much less any patches.

But this website:

http://www.securityfocus.com/bid/23194

does list both Win 98 and ME as vulnerable.

Is this a concern for Win 98, or will perhaps just uninstalling IE completely (along with OE) and using Firefox take care of it?

Edited by the xt guy
Link to comment
Share on other sites
BenoitRen

BenoitRen

Posted
Posted

I actually tested this myself.

I figured all that was needed was opening the .ani file with a program. So I saved it to my desktop. As soon as I had minimised all my Windows, a window came up that told me Explorer had caused an error and had to close. I clicked close, which restarted Explorer, and let the message reappear. Repeat ad infinitum.

Now, I didn't want to lose the cache of my SeaMonkey, so I tried to find another way of getting out of this mess than pushing the reset button. However, I couldn't do anything while that error window was on the screen. Pressing Ctrl+Esc didn't work. I tried pressing it repeatedly while closing the window, which brought up the Task Manager. The window was still there, though, and other than select the tasks, I couldn't do anything. I closed the window again, and this time it didn't come back. I opened the Start menu, and deleted the file through the DOS prompt, and all was well again.

In contrary to many reports, Firefox (and hence other Mozilla browsers) is vulnerable. This Flash movie explains how.

This PDF explains how the exploit works.

Link to comment
Share on other sites
MDGx

MDGx

Posted
Posted

No need for the Zert patch.

Please see this post:

http://www.msfn.org/board/?s=&showtopi...st&p=641766

Windows 98 (FE), 98 SP1, 98 SE + ME *already* have a patch: U891711 .

U891711 has its own forum topic:

http://www.msfn.org/board/?showtopic=58780

__________________________________

BTW:

These 3 topics have been merged because they have same subject.

Please do not start more than 1 topic with same subject.

If you wish, you can modify the title of any topic you started, in order to match the subject better.

If you want to:

- change the title of a topic but don't know how

- delete a post

- already have started a topic with same subject as another but realized you did after you posted it

just PM me.

HTH [Hope This Helps]

Link to comment
Share on other sites
BenoitRen

BenoitRen

Posted
Posted

I hate it how this is less of a Win9x forum and more of a Win98/ME forum!

WHAT ABOUT WINDOWS 95?!

Looking at the .inf file of the patch, I don't dare install this thing. It also sounds like this will just add an extra process instead of fixing the vulnerability once and for all.

Link to comment
Share on other sites
oscardog

oscardog

Posted
Posted
I hate it how this is less of a Win9x forum and more of a Win98/ME forum!

WHAT ABOUT WINDOWS 95?!

Looking at the .inf file of the patch, I don't dare install this thing. It also sounds like this will just add an extra process instead of fixing the vulnerability once and for all.

The only thing I can tell you is that it works without problems on a lited 98 using a 95 shell,backup your system and give it a try

many thanks to the author

Link to comment
Share on other sites
MDGx

MDGx

Posted
Posted
I hate it how this is less of a Win9x forum and more of a Win98/ME forum!

WHAT ABOUT WINDOWS 95?!

Looking at the .inf file of the patch, I don't dare install this thing. It also sounds like this will just add an extra process instead of fixing the vulnerability once and for all.

No, it's not.

The reality is that some of us use 98, 98 SE and/or ME, just not 95/OSR1/OSR2 anymore. :(

That's why we cannot test/build such patches under Win95.

But please feel free to test it on your 95 computer, and if it works ok, I'll modify the installer to include all Win95 editions.

Thanks for your time.

About the U891711 patch being just another process:

That's the only way this vulnerability can be fixed as far as I'm aware [from what I'm told by the anonymous author].

If you have any better ideas, have knowledge of how this exploit works in Win95 and/or earlier editions of Internet Explorer [32 and/or 16 bit], and eventually which system file(s) need to be patched [permanently], please don't hesitate to post here your patch(es), results, thoughts etc.

HTH [Hope This Helps]

Link to comment
Share on other sites
Ninho

Ninho

Posted
Posted
By the way, you know how M$ fixed it? By patching user32.dll

Sure, but in the Win 9x series, it is USER.EXE which needs a patch. USER32 is just a small stub, all the meat is in the 16 bit USER.

However, the tiltle of this thread is misleading : in Win 9x, the malformed ani exploit does lead to a GPF while some internal USER function is trying to return to garbage, the GPF is caught by Windows which makes the calling process crash (generally, it'll be the Explorer.exe shell which is then auto-restarted by Windows).

So this is at most a "denial of service", especially if you had the bad .ani file lying on the Desktop - this being part of explorer, causing an almost unendable chain of crash/restart...

*BUT* contrary to the Windows NT/2k/XP... series, on Windows 9x in no case can a "sploit" of this kind cause instructions, contained as data in the malicious file, to be handed control and executed. This is immense superiority of the Intel X86 *segmented* model over the (easy to use but lame) "flat" programming model adopted by MS in NT and ff., and also, regrettably, adopted by Linux even on the X86. (Only the first version of OS/2 had it right. Twas a Microsoft product by the way, which shows MS could do things right if they wanted, but did not - money not right-doing being their goal ).

And, oh! yes, I've done some "debugging" (soft-iceing...) of the ani crashing explorer before posting this answer.

Cheers, pals

Link to comment
Share on other sites
Ninho

Ninho

Posted
Posted
WHAT ABOUT WINDOWS 95?!

please feel free to test it on your 95 computer, and if it works ok, I'll modify the installer to include all Win95 editions.

I am pleased to report that the unofficial U891711 seems to be working perfectly in Windows 95 ( OSR2 with IE 5.5 SP1 here); of course the installer will refuse to start, so I extracted manually the KB891711.EXE & Q891711.DLL to (my Windir)\System\U891711\ ... and under the HKLM\...\RunServices registry key, I added name U891711, value : (myWindir)\SYSTEM\U891711\KB891711.EXE .

[Disclaimer : Reader! don't try the above unless you feel confident you understand the necessary steps and the way to undo them, if needed]

After a reboot the proof of concept malformed animated cursors do not crash Explorer any more.

Thank the anonymous autor of this patch, and please MDGx will you review your installer to allow for Win95.

--

Ninho

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...