- home
- reviews
- news
- downloads
- cnet tv
On TechRepublic: Windows 7: Slower to boot than Vista?
- log in
- join CNET
- welcome,
- my profile
- log out

Hardware

Software & services

Networking & communications

Buying guides

Rob Vamosi's
award-winning
column on Internet threats and how to counter them
Delivered Mondays

All free newsletters

CNET Security Center: Your complete source of antivirus and Internet security information.

Windows animated cursor attack
The way Microsoft Windows handles animated cursors on Web sites puts PCs at risk.
By Robert Vamosi (March 30, 2007)(revised 4/4/07)

QUICK FACTS

Name: Windows animated cursor attack

Date first reported: 03/29/07

CVE Number: CVE 2007-0038

Vulnerable software: Microsoft Windows 2000, SP1 through Windows Vista.

What it does: Causes a denial of service attack (persistent reboot) or could allow remote access.

Recommendations: Use an Internet browser other than Microsoft Internet Explorer, such as Firefox or Opera.

Exploit code available: Yes

Vendor patch available: MS07-017

4
out of 10

INTERNET THREAT RATING
How we rate

There's a new Microsoft Windows vulnerability being exploited across the Internet on over 100 Web sites, according to security vendor Websense. The vulnerability is caused by an unspecified error in the way Windows 2000, XP, and Vista handles animated cursors. Animated cursors allow a mouse pointer to appear animated on a Web site. The feature is often designated by the .ani suffix, but attacks for this vulnerability are not constrained by this file type so simply blocking .ani files won't necessarily protect a PC. Users need not do anything but visit a compromised site to become infected. Antivirus vendor F-Secure reports there's also a worm associated with this vulnerability.

Successful exploitation can result in memory corruption when processing cursors, animated cursors, and icons. According to Arbor Networks, the malicious code on compromised Web sites exploiting this flaw appears to be originating from the following sites, which you may want to block:

wsfgfdgrtyhgfd.net

85.255.113.4

uniq-soft.com

fdghewrtewrtyrew.biz

newasp.com.cn

To become infected, users must be using Internet Explorer 6 or 7; there is no need to click, just visiting an infected site is enough for an infection. The flaw does not affect Firefox or Opera Internet Browsers. Microsoft released a patch within its security bulletin MS07-017.

Additional Resources

Microsoft: MS07-017

Zeroday Emergency Response Team (ZERT): Unofficial patch

NIST: CVE-2007-0038

Arbor Networks: Any Ani file could infect you

Websense: Alert

F-Secure: Blog post

Reviews & advice: Site map; Editorial policies; Meet the editors; How we test; Forums; Internet speed test

Popular topics: Apple iPhone; Apple iPod; Cell phones; Dell; GPS; LCD TV

CNET sites: CNET Site map; CNET TV; Downloads; News; Reviews; Shopper.com

More information: Newsletters; CNET Mobile; Customer Help Center; RSS; CNET Widgets; About CNET