Microsoft is urging Windows users to be very careful when opening ".hlp" attachments.

The warning follows the release of exploit code for possible new zero-day bug in the Microsoft Help subsystem, which is used to display files with the ".hlp" extension.

The proof-of-concept code, posted at Milw0rm.com, provides instructions on how to exploit a local heap overflow vulnerability.

The MSRC (Microsoft Security Response Center) has launched an investigation and has confirmed that a potential attack would require the use of malicious ".hlp" files.

Microsoft has listed .HLP files as unsafe file types as discussed in (this KB article) and recommends customers exercise the same cautions with .HLP as .EXE, as both file types are executable. As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.

Separately, Microsoft is challenging published zero-day flaw claims against its Office productivity suite. A Redmond spokesman sent the following statement:

Microsoft's initial investigation has found that none of these claims demonstrate any vulnerability in Word 2007 or any Office 2007 products.

Full Story

There's a new Microsoft Windows vulnerability being exploited across the Internet on over 150 Web sites. The vulnerability is caused by an unspecified error in the way Windows 2000, XP, and Vista handles animated cursors.

Animated cursors allow a mouse pointer to appear animated on a Web site. The feature is often designated by the .ani suffix, but attacks for this vulnerability are not constrained by this file type so simply blocking .ani files won't necessarily protect a PC. Successful exploitation can result in memory corruption when processing cursors, animated cursors, and icons. According to Arbor Networks, the malicious code on compromised Web sites exploiting this flaw appears to be originating from the following sites, which you may want to block:

wsfgfdgrtyhgfd.net

85.255.113.4

uniq-soft.com

fdghewrtewrtyrew.biz

newasp.com.cn

To become infected, users must be using Internet Explorer 6 or 7; there is no need to click, just visiting an infected site is enough for an infection. The flaw does not affect Firefox or Opera Internet Browsers. Microsoft will release a patch on April 3, 2007. Until a patch is released, users should browse the Internet using a non-Internet Explorer browser.

Additional Resources

Microsoft: Advisory 935423

NIST: CVE-2007-0038

Arbor Networks: Any Ani file could infect you

Internet Threat Rating 8: How we rate

Quick Facts

Name: Windows animated cursor attack

Date first reported: 03/29/07

CVE Number: CVE 2007-0038

Vulnerable software: Microsoft Windows 2000, SP1 through Windows Vista.

What it does: Causes a denial of service attack (persistent reboot) or could allow remote access.

Recommendations: Use an Internet browser other than Microsoft Internet Explorer, such as Firefox or Opera.

Exploit code available: Yes

Vendor patch available: Expected April 3, 2007.

Full Story

 Watch out for e-mails with a new virus disguised as a test version of Microsoft's current Web browser.

James Niccolai, IDG News Service
Friday, March 30, 2007 06:00 AM GMT-08:00

If you receive an e-mail offering a download of Internet Explorer 7 Beta 2, delete it. A new virus is making the rounds that comes disguised as a test version of Microsoft Corp. current Web browser.

Security experts reported no widespread damage Friday morning, but they said the virus is notable for a couple of reasons. The e-mail includes a convincing graphic that looks like it could really be from Microsoft, and the virus is delivered when recipients click on a link rather than in an attachment, which makes it harder to stop it from reaching in-boxes.

"The idea of sending a link seems to be a trend among attackers; it's still fairly new and it works much better than sending a file," said Mikko Hypponen, chief research officer at F-Secure Corp.

The e-mails carry the subject line "Internet Explorer 7 Downloads" and appear to come from admin@microsoft.com. They include a blue, Microsoft-style graphic offering a download of IE 7 beta 2. Clicking the graphic will download an executable file called IE 7.exe.

The file is actually a new virus called Virus.Win32.Grum.A, and security experts were still analyzing it Friday to see what it does. Sophos PLC said it can spread by e-mailing itself to contacts in a user's address book. The virus tampers with registry files to ensure it gets installed, and it tries to download additional files from the Internet, said Graham Cluley, a senior technology consultant for Sophos.

Other specifics were unknown yet, but such viruses often install a keystroke logger to steal personal information, and establish a network of infected computers to launch a denial of service attack, Cluley said.

"We don't know anything yet about where it is coming from," Hypponen said. "It's fairly well made and hard to analyze with normal tools."

F-Secure had received many reports of the e-mail but few submissions of the virus itself, indicating that damage so far is limited. Cluely agreed: "I wouldn't classify this as one of the biggest viruses of the year, but that doesn't mean it isn't a threat" he said.

Detection of Win32.Grum by antivirus programs was "mediocre" on Thursday evening, according to Sunbelt Software Inc., and some big vendors were still not picking it up Friday morning, Hypponen said.

F-Secure and Sophos are blocking the virus and all major vendors are likely to do so soon, he said. Some e-mail filtering systems were also not blocking the virus on Friday morning.

The virus is being hosted on several servers around the world, which will increase the time it takes to identify and clean them all. They appear to be Web servers that have been hacked, Hypponen said. The SANS Internet Storm Center asked administrators to check their logs to make sure they are not hosting the file.

The virus affects only Windows users. "Microsoft is aware of this issue and is currently investigating this matter, including customer impact," a spokeswoman said via e-mail.

The final version of IE 7 was released last October, so Microsoft is unlikely to be advertising a beta of the product. Users can download a real version of the software at Microsoft's Internet Explorer home page.

A serious new Internet attack affecting Internet Explorer 6 and 7, and Outlook 2002 and later on Windows XP SP2 is underway. If you simply view a Web site or HTML e-mail that's been laced with a poisoned animated cursor file (.ani), an attacker can take over your computer. IE7 under Vista, Firefox and Outlook 2007 are not currently affected.

This is a zero-day attack, meaning there's no patch available as of yet. McAfee and iDefense have reported finding live attacks in the wild, and Andreas Marx of AV Test wrote to tell me there are somewhere around 25,000 Web sites that currently contain this attack or did in the past, according to a Google search for telltale signs within the poisoned sites.

Perhaps most alarming, Microsoft doesn't list any temporary fix or workaround for IE in their security advisory. Usually, with drive-by-download risks like these, you can temporarily turn off all Javascript, for instance, or change something in the registry. This time, Microsoft only says to read all e-mail in plain text rather than HTML, and lists no help for IE.

For Vista, Microsoft says in their advisory that IE 7's protected mode will defend against this attack in the new OS. The company also says that Outlook 2007 isn't affected because it uses Word to display e-mail by default. However, iDefense's Ken Dunham wrote that "trivial modification to existing exploit code makes it possible to attack Windows 2000 and all service packs of Windows XP, and Vista."

Also, Ryan Naraine writes in his Zero-Day blog that the company that reported the flaw to Microsoft four months ago says the flaw affect Vista, and that an attack could theoretically hit Firefox as well.

Until there is a fix or at least a temporary workaround, I'd strongly recommend using an alternate browser such as Firefox or Opera, and turning off HTML e-mail viewing in Outlook. As mentioned, the attack could reportedly hit Firefox, but I haven't yet seen any reports of Mozilla's browser being targeted.

There's an unrelated but also dangerous attack going around in e-mail form. If you receive anything with a subject line of "Internet Explorer 7 Downloads," it's likely an attack.

Full Article