WARNING: The ani cursor exploit works in Win9x too!

[TravisO]

perhaps just uninstalling IE completely (along with OE) and using Firefox take care of it?

The ANI flaw is a Windows flaw, not an IE thing, FireFox will also pass the .ANI file to Windows and you'll still get infected. The question is, does Opera support ANI cursors too, if so, same problem. IMHO if this flaw is that critical (as they claim), MS should have provided a patch back to 98 & ME. Oh well, whatever, I knew the community would stand up and defend itself.

[BenoitRen]

FireFox will also pass the .ANI file to Windows and you'll still get infected

Firefox (and other Gecko-based browsers) doesn't support ANI files. However, there's an undisclosed exploit that tricks Firefox into making Windows load it.

[herbalist]

does anyone know of another test page for this exploit besides ZERTs? The test page has no effect on my 98 box with either IE6 or Sea Monkey and all filtering disabled. I have 891711 installed but not running.

Rick

[98 Guy]

does anyone know of another test page for this exploit besides...

Doesn't anyone here (besides me) read and post to any of the win-98 usenet groups?

I hate web-forums like this. I say this because I posted the following a few days ago in microsoft.public.win98.gen_discussion.

Anyways, to answer your question, look here:

http://www.rootkit.net.cn/read.php?23

And here:

http://www.milw0rm.com/sploits/04012007-exp.zip

When you unzip that file, and if you browse the directory containing the unzipped contents, user.exe will crash when you browse down to the point that riff.ani appears in the explorer window.

So go at it and tell me if the unofficial U891711 mod works or not.

[MDGx]

does anyone know of another test page for this exploit besides ZERTs? The test page has no effect on my 98 box with either IE6 or Sea Monkey and all filtering disabled. I have 891711 installed but not running.

Rick

These are the ones I know of [all listed in U891711.TXT: http://www.mdgx.com/files/U891711.TXT ]:

INFO + DEMO

* MS Windows Animated Cursor (.ANI) Remote Exploit (eeye patch bypass):

http://www.rootkit.net.cn/read.php?23

This HTML demo invokes %windir%\CALC.EXE if successful [ZIPPed]:

http://www.milw0rm.com/sploits/04012007-exp.zip

* Flash demo of .ANI exploit:

http://www.determina.com/security.research/flash/ani.html

* Zert .ANI exploit demo:

http://zert.isotf.org/tests/testani.htm

Acrobat PDF of .ANI exploit:

http://zert.isotf.org/papers/ani-notes.pdf

* Security Focus Bulletin:

http://www.securityfocus.com/bid/23194

* Proof-of-concept demo of malformed .ANI cursor using 'LoadImage' exploit:

http://www.xfocus.net/flashsky/icoExp/

This applies *only* to Microsoft Internet Explorer 5.5 SP2, 6.0 + 6.0 SP1:

http://www.mdgx.com/toy.htm#IEX

First try demos above without any fix installed.

Then install official MS05-002 fix, reboot, and try the demo again.

Then install unofficial U891711 fix, reboot, and try the demo again.

Please notice differences in behavior (if any) between these 2 fixes.

HTH

_____________________________________

Ninho:

I am pleased to report that the unofficial U891711 seems to be working perfectly in Windows 95 ( OSR2 with IE 5.5 SP1 here); of course the installer will refuse to start, so I extracted manually the KB891711.EXE & Q891711.DLL to (my Windir)\System\U891711\ ... and under the HKLM\...\RunServices registry key, I added name U891711, value : (myWindir)\SYSTEM\U891711\KB891711.EXE .

[Disclaimer : Reader! don't try the above unless you feel confident you understand the necessary steps and the way to undo them, if needed]

After a reboot the proof of concept malformed animated cursors do not crash Explorer any more.

Thank the anonymous autor of this patch, and please MDGx will you review your installer to allow for Win95.

--

Ninho

I have modified the installer, U891711 now installs on all Win9x editions, including Windows 95, OSR1 + OSR2.

U891711: Unofficial Windows 95/98/ME Q891711.DLL 4.10.2223 + KB891711.EXE 4.10.2227 Fix [120 KB, English]:

http://www.mdgx.com/files/U891711.EXE

Read U891711.TXT FIRST:

http://www.mdgx.com/files/U891711.TXT

U891711 fixes also Animated Cursor (.ANI) GDI Engine Security Vulnerability:

http://www.microsoft.com/technet/security/...n/ms07-017.mspx

U891711 forum:

http://www.msfn.org/board/?showtopic=58780

HTH

[MDGx]

The only way it can be fixed? I don't think so. You have to patch whatever file/function handles the ANI header to check if its size will fit, according to the PDF that documents how this works.

Here is your answer from the anonymous author:

http://www.msfn.org/board/?s=&showtopi...st&p=643822

I have an additional concern. How are we to trust this patch if the author doesn't even want to give us his name, and wants to remain anonymous?

Because it is everybody's right to be anonymous in a public forum or anywhere else on the internet for that matter, and as you might well know, some people are concerned about their privacy on the internet, as I'm sure you are too.

Lety me ask you something:

How can I trust to answer your questions, when I don't even know your real name?

How do you trust to ask me any questions [and me to give you pertinent answers] when you don't even know my real name?

Do you put your real name in every email account, public forum membership, ICQ, AOL/IM/MSN/Yahoo/etc messenger etc you subscribe to?

I don't think so, because if you would, you would demostrate lack of knowledge about breach of privacy on the internet.

And by looking at your MSFN nickname [handle], looks like you do know not to put your real name.

But even though we don't know each other's real names, we still carry a civilized conversation, and implicitly we trust each other in the confines of this forum.

Another question:

just because Microsoft is a famous company name in the computing business do you trust them with your computer or with your privacy info?

I know the majority here at MSFN do not, and you shouldn't either.

I know the anonymous author has the knowledge and the preparedness [PhD degree] to fix/debug/patch M$ system files, and that's enough as far as I'm concerned.

But you don't have to download/try/install/read any of these patches/files if you don't want to.

That is only your choice.

And it is my choice to trust the anonymous author.

And we also must respect his wish of remaining anonymous.

By the way, you know how M$ fixed it? By patching user32.dll

Here is your answer from the anonymous author:

http://www.msfn.org/board/?s=&showtopi...st&p=643822

HTH [Hope This Helps]

[BenoitRen]

Because it is everybody's right to be anonymous in a public forum or anywhere else on the internet for that matter, and as you might well know, some people are concerned about their privacy on the internet, as I'm sure you are too.

I know, and that wasn't my concern.

Lety me ask you something:

How can I trust to answer your questions, when I don't even know your real name?

How do you trust to ask me any questions [and me to give you pertinent answers] when you don't even know my real name?

You provide me with a unique identifier. You're not just some anonymous person among the dozens of other anonymous people. You also post here and are a moderator. I can check your posting history for one thing, and look at your reputation.

And by looking at your MSFN nickname [handle], looks like you do know not to put your real name.

Actually, it is my real name, sort of. It's my first name plus part of my last name. Usually I would post as just "Benoit", but I had to find something else when I wanted a screen name for AIM. Since then I'm BenoitRen on most message boards. I never cared for nicknames, I wanted to have only one name.