Threaded Mode | Linear Mode

dasme · 02/04/2007 07:19 AM

[frame]Quote

In what could be the most embarrassing exploit to impact Windows Vista since its commercial launch in January, security engineers at McAfee’s Avert Labs confirmed today - and posted the video to prove - that the operating system can be caused to enter an interminable crash-restart-crash loop, by means of a buffer overflow triggered by nothing more than a malformed animated cursor file.

It isn’t even a new exploit, as researchers with eEye discovered in January 2005. At that time, Microsoft acknowledged it affected versions of the operating system from the first edition of Windows 98 through to early releases of Windows XP, though it stated at the time XP SP1 was unaffected.

But apparently after researching field reports of limited attacks, Avert Labs discovered an apparently similar exploit using .ANI files impacts XP SP2 and Vista, as well as Windows 2000 SP4 and versions of Windows Server 2003 from the initial release through to SP1. Avert Labs stated XP SP1 and versions since were unaffected, though Microsoft warned the exploit does affect XP SP2.

If both firms’ accounts are correct, Microsoft may have fixed the problem with XP SP1 in 2005, and inadvertently un-fixed it sometime afterward.

Avert Labs’ video of the incident, posted to YouTube, shows a Vista system wherein the test file apparently trying to load the custom animated cursor. When the operating system detects a crash, it first tries to save vital data prior to a restart sequence - one of Vista’s newer features. It then informs the user that Windows Explorer has crashed.

But in trying to restart Explorer, the restarting crashes itself, sending Vista into a tailspin from which the only escape appears to be the off button.

The mouse input routines in Windows are designed with the intention of being relatively failsafe. That’s why when the system appears to hang, you can often still move your mouse pointer. As I’ve personally witnessed on many occasions with Windows XP, it’s possible for a smaller OEM’s mouse driver - often an unsigned one - to trigger a similar tailspin loop that crashes Windows Explorer repeatedly. In Windows, a lot depends on the mouse pointer’s very existence.

So if a customization feature can impact the mouse pointer’s ability to function, the integrity of the entire system can be jeopardized. With my own systems, drivers and services that are unfriendly to one another - such as Stardock’s CursorXP animation program trying to co-exist with a Synaptics Pointing Device driver on a notebook with ATI Mobility Radeon 9600 graphics - can trigger an Explorer tailspin.

What I’m calling the “tailspin

YoYoBallz · 02/04/2007 07:31 AM

Wow.... Thank god my vista don't do this..... but i think my firends might..... ill have to look into this. thanks for posting this :)

beaner2k6 · 02/04/2007 10:16 AM

hehe glad i don't have vista

ZiNgA BuRgA · 02/04/2007 03:22 PM

Meh, there's 1000s of ways to stuff up an OS. I'd thinnk it'd be pretty hard for the average user to install such a cursor though - the main.cpl would probably crash as soon as you'd try to set it (I imagine that they set the cursor through other means?).

michaelp · 02/04/2007 04:42 PM

lol, an animated cursor

microsoft got some spalling to do

sticky · 02/04/2007 06:47 PM

ms got pwnd

Apatheticloser · 04/04/2007 02:54 AM

haha, this is lame.

Threaded Mode \| Linear Mode Vista Can Be Taken Down by an Animated Cursor
Author	Message