RJARRRPCGP Posted April 4, 2007 Share Posted April 4, 2007 (edited) Windows 9x users need to be on the lookout for web sites with .ani files!This is the dreaded animated cursor vulnerability bug I'm taking about. Edited April 4, 2007 by RJARRRPCGP Link to comment Share on other sites More sharing options...
the xt guy Posted April 4, 2007 Share Posted April 4, 2007 (edited) W've all by now heard about the Windows .ani cursor exploit. Microsoft is calling this not merely a 'critical' update but an 'extremely critical' update.Since all support for Win 98 and ME ended last June, I obviously didn't expect to see either one of these O/S lsted as vulnerable, much less any patches.But this website:http://www.securityfocus.com/bid/23194does list both Win 98 and ME as vulnerable.Is this a concern for Win 98, or will perhaps just uninstalling IE completely (along with OE) and using Firefox take care of it? Edited April 4, 2007 by the xt guy Link to comment Share on other sites More sharing options...
BenoitRen Posted April 4, 2007 Share Posted April 4, 2007 (edited) EDIT: I felt it was better to make a new topic with all the information concerning this, and to remove my earlier (ignorant) reply from here. Edited April 5, 2007 by BenoitRen Link to comment Share on other sites More sharing options...
BenoitRen Posted April 5, 2007 Share Posted April 5, 2007 I actually tested this myself.I figured all that was needed was opening the .ani file with a program. So I saved it to my desktop. As soon as I had minimised all my Windows, a window came up that told me Explorer had caused an error and had to close. I clicked close, which restarted Explorer, and let the message reappear. Repeat ad infinitum.Now, I didn't want to lose the cache of my SeaMonkey, so I tried to find another way of getting out of this mess than pushing the reset button. However, I couldn't do anything while that error window was on the screen. Pressing Ctrl+Esc didn't work. I tried pressing it repeatedly while closing the window, which brought up the Task Manager. The window was still there, though, and other than select the tasks, I couldn't do anything. I closed the window again, and this time it didn't come back. I opened the Start menu, and deleted the file through the DOS prompt, and all was well again.In contrary to many reports, Firefox (and hence other Mozilla browsers) is vulnerable. This Flash movie explains how.This PDF explains how the exploit works. Link to comment Share on other sites More sharing options...
BenoitRen Posted April 5, 2007 Share Posted April 5, 2007 Apparently ZERT has a patch that also applies to Windows 98. I wonder if the same one can be used for Windows 95. Link to comment Share on other sites More sharing options...
MDGx Posted April 5, 2007 Share Posted April 5, 2007 No need for the Zert patch.Please see this post:http://www.msfn.org/board/?s=&showtopi...st&p=641766Windows 98 (FE), 98 SP1, 98 SE + ME *already* have a patch: U891711 .U891711 has its own forum topic:http://www.msfn.org/board/?showtopic=58780__________________________________BTW:These 3 topics have been merged because they have same subject.Please do not start more than 1 topic with same subject.If you wish, you can modify the title of any topic you started, in order to match the subject better.If you want to:- change the title of a topic but don't know how- delete a post- already have started a topic with same subject as another but realized you did after you posted itjust PM me.HTH [Hope This Helps] Link to comment Share on other sites More sharing options...
BenoitRen Posted April 5, 2007 Share Posted April 5, 2007 I hate it how this is less of a Win9x forum and more of a Win98/ME forum!WHAT ABOUT WINDOWS 95?!Looking at the .inf file of the patch, I don't dare install this thing. It also sounds like this will just add an extra process instead of fixing the vulnerability once and for all. Link to comment Share on other sites More sharing options...
oscardog Posted April 5, 2007 Share Posted April 5, 2007 I hate it how this is less of a Win9x forum and more of a Win98/ME forum!WHAT ABOUT WINDOWS 95?!Looking at the .inf file of the patch, I don't dare install this thing. It also sounds like this will just add an extra process instead of fixing the vulnerability once and for all.The only thing I can tell you is that it works without problems on a lited 98 using a 95 shell,backup your system and give it a trymany thanks to the author Link to comment Share on other sites More sharing options...
MDGx Posted April 5, 2007 Share Posted April 5, 2007 I hate it how this is less of a Win9x forum and more of a Win98/ME forum!WHAT ABOUT WINDOWS 95?!Looking at the .inf file of the patch, I don't dare install this thing. It also sounds like this will just add an extra process instead of fixing the vulnerability once and for all.No, it's not.The reality is that some of us use 98, 98 SE and/or ME, just not 95/OSR1/OSR2 anymore. That's why we cannot test/build such patches under Win95.But please feel free to test it on your 95 computer, and if it works ok, I'll modify the installer to include all Win95 editions.Thanks for your time.About the U891711 patch being just another process:That's the only way this vulnerability can be fixed as far as I'm aware [from what I'm told by the anonymous author].If you have any better ideas, have knowledge of how this exploit works in Win95 and/or earlier editions of Internet Explorer [32 and/or 16 bit], and eventually which system file(s) need to be patched [permanently], please don't hesitate to post here your patch(es), results, thoughts etc.HTH [Hope This Helps] Link to comment Share on other sites More sharing options...
BenoitRen Posted April 5, 2007 Share Posted April 5, 2007 The only way it can be fixed? I don't think so. You have to patch whatever file/function handles the ANI header to check if its size will fit, according to the PDF that documents how this works. Link to comment Share on other sites More sharing options...
BenoitRen Posted April 5, 2007 Share Posted April 5, 2007 I have an additional concern. How are we to trust this patch if the author doesn't even want to give us his name, and wants to remain anonymous? Link to comment Share on other sites More sharing options...
BenoitRen Posted April 6, 2007 Share Posted April 6, 2007 By the way, you know how M$ fixed it? By patching user32.dll Link to comment Share on other sites More sharing options...
Ninho Posted April 8, 2007 Share Posted April 8, 2007 By the way, you know how M$ fixed it? By patching user32.dllSure, but in the Win 9x series, it is USER.EXE which needs a patch. USER32 is just a small stub, all the meat is in the 16 bit USER.However, the tiltle of this thread is misleading : in Win 9x, the malformed ani exploit does lead to a GPF while some internal USER function is trying to return to garbage, the GPF is caught by Windows which makes the calling process crash (generally, it'll be the Explorer.exe shell which is then auto-restarted by Windows).So this is at most a "denial of service", especially if you had the bad .ani file lying on the Desktop - this being part of explorer, causing an almost unendable chain of crash/restart...*BUT* contrary to the Windows NT/2k/XP... series, on Windows 9x in no case can a "sploit" of this kind cause instructions, contained as data in the malicious file, to be handed control and executed. This is immense superiority of the Intel X86 *segmented* model over the (easy to use but lame) "flat" programming model adopted by MS in NT and ff., and also, regrettably, adopted by Linux even on the X86. (Only the first version of OS/2 had it right. Twas a Microsoft product by the way, which shows MS could do things right if they wanted, but did not - money not right-doing being their goal ).And, oh! yes, I've done some "debugging" (soft-iceing...) of the ani crashing explorer before posting this answer.Cheers, pals Link to comment Share on other sites More sharing options...
Ninho Posted April 10, 2007 Share Posted April 10, 2007 WHAT ABOUT WINDOWS 95?! please feel free to test it on your 95 computer, and if it works ok, I'll modify the installer to include all Win95 editions.I am pleased to report that the unofficial U891711 seems to be working perfectly in Windows 95 ( OSR2 with IE 5.5 SP1 here); of course the installer will refuse to start, so I extracted manually the KB891711.EXE & Q891711.DLL to (my Windir)\System\U891711\ ... and under the HKLM\...\RunServices registry key, I added name U891711, value : (myWindir)\SYSTEM\U891711\KB891711.EXE .[Disclaimer : Reader! don't try the above unless you feel confident you understand the necessary steps and the way to undo them, if needed]After a reboot the proof of concept malformed animated cursors do not crash Explorer any more.Thank the anonymous autor of this patch, and please MDGx will you review your installer to allow for Win95.-- Ninho Link to comment Share on other sites More sharing options...
galahs Posted April 10, 2007 Share Posted April 10, 2007 Thanks for testing that for the Win 95 users Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now