| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070330231115.GA31923@blues.ath.cx> Date: Sat, 31 Mar 2007 01:11:15 +0200 From: Jan Wrobel <wrobel@...es.ath.cx> To: Alexander Sotirov <asotirov@...ermina.com> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038) On Thu, 29 Mar 2007, Alexander Sotirov wrote: > Today Microsoft released a security advisory about a vulnerability in the > Animated Cursor processing code in Windows: > http://www.microsoft.com/technet/security/advisory/935423.mspx > > It seems like the vulnerability is already exploited in the wild: > http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/ Bleeding Edge Threats made available Snort rule that detects some (all?) exploits using this vulnerability: http://www.bleedingthreats.net/index.php/2007/03/30/ms-ani-exploit-rule-details-emerging/ I don't know if this rule detects all possible exploits or just one particular type. Here is a Firekeeper version of the rule, which can be used to detect sites hosting malicious files: alert (msg:"BLEEDING-EDGE CURRENT EVENTS MS ANI exploit"; body_content:"|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|"; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; fid:2003519; rev:1;) Rule is triggered for example by the following images: http://www.i5460.net/admin12/2.jpg http://www.i5460.net/admin12/1.jpg Cheers, Jan Wrobel http://firekeeper.mozdev.org
Powered by blists - more mailing lists