Unfixed Outlook & IE hole allows XP&Vista user promotion to Admin

I’d already decided not to post about this, but then learned more.  There is no fix.  No work around. I’m vulnerable and at this point, I can’t do anything about it.  Even on Vista, just pre-viewing an HTML email in Outlook 2002+ means you are vulnerable.   An that’s not just OE but the REAL Outlook used is offices everywhere.  You can’t turn off Java Script, or Active X or anything.  You don’t even crash.  Your system is just pwned…

What does MS have to say?

Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. […] Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.  Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. – http://blogs.pcworld.com/staffblog/archives/003973.html

For Outlook, the only fix Microsoft has is “read all e-mail in plain text rather than HTML”.  I know Outlook REALLY well, but I don’t remember a setting that does that.  There’s no solution for Internet Explorer.  Basicaly any application, even ones that you might have written in Delphi that happen to have a TBrowser component in them that is allowed access to the outside world, is vulnerable.  So if you have any custom email programs you’ve written, watch out!

The basic avenue of attack  is to display a customized animated cursor.  Once you open that email or browse through that site,  they gain access to your computer.  There is no crash, it just instantly happens.  The code can then promote the Limited Access account you are using (because we all only use admin accounts when we need to… Yeah, right!) to an Adminstrator account, and then do whatever they please, from rootkits to personal webservers.  Oh! and of course don’t forget that an “animated” cursor can appear to be static. It can look exact your normal cursor. 

In the article ” Windows Zero-Day Flaw ‘Very Dangerous,’ Experts Say Bug affecting IE and Windows is potentially very damaging, and there’s no quick fix in sight. “, by Gregg Keizer of Computerworld, there are a couple of good quotes.

“This is a good exploit,” Roger Thompson, CTO of Exploit Prevention Labs

“According to Adrian Stone, an MSRC program manager, Outlook 2007 is invulnerable, as is Vista’s Windows Mail–as long as users don’t reply or forward the attacker’s messages. The SANS Institute’s testing, however, contradicted Microsoft; by SANS’ account, Outlook Express in Windows XP, Windows Mail in Vista, and Outlook 2003 in any version of Windows puts users at risk when they simply preview a malicious message. They don’t have to actually open the message to be in danger of an infection.”

“Worse, we know there are vulnerabilities that can be exploited in Vista to escalate privileges,” said Brown. “All you need is access to the system, which this [animated cursor] provides.” Once inside, said Brown, the attacker could up rights from even a safer local user to administrator privileges. “Then, all bets are off.”

UPDATE:

 It seems that eEye Digital Security is taking advantage of the situation and has release a patch if you have their 1 year free personal addtion intrusion software:

Patch Location: Download Now!
Patch Version: 1.0
Patch Source Code: View

The patch prevents the loading of any non local ani files.  Well, my intrusion software is somewhat out of date anyway.  I’ll give it a try.  I’ll let you know if this is another “Scare you till you upgrade” program that is hard to remove.

UPDATE #2: eEye Digital Security is incredible.  At first glance, it seems to be professional and high-level.  I think it is actually meant to protect your system and not scare your Aunt Martha into buying more and more additions to it.  I’m impressed.  I’m also sad to say that for the second time since 1985ish when I first got a PC clone (a Compaq Portable Plus with Compaq Dos 2.12 and 10mb HD, if you must know), I actually had a virus detected on any disk or computer in my home.  It was one just reported in the wild for the first time at the end of Feb.  So my current antivirus software, somewhat out of date, hadn’t picked up on it.  Still I guess 2 viruse detections out of all of the stuff I’ve done and all the disks I’ve used and stuff I’ve downloaded, is a pretty good safety record for 2.2 decades.