Security flaw puts puts Windows, including Vista, PCs at risk; malware already observed in the wild

Apple Store“A new security vulnerability puts Windows users at risk of serious cyberattacks, Microsoft warned late Wednesday,” Joris Evers reports for CNET News.

“The vulnerability affects all recent Windows versions, including Vista, which Microsoft has promoted heavily for its security. The operating system software is flawed in the way it handles animated cursors, Microsoft said in a security advisory,” Evers reports. “An attacker could exploit the vulnerability through a Web page or e-mail message with rigged computer code, Microsoft said.”

“Sample code that demonstrates the vulnerability has already been posted on the Web, McAfee said in a security alert sent to customers. ‘Malware exploiting this vulnerability has been observed in the wild,’ the security company said in the alert,” Evers reports.

“‘I expect attackers will pick up on this as soon as they figure out how to, we’ll very shortly see the usual suspects using it,’ said Roger Thompson, chief technology officer at security software maker Exploit Prevention Labs. ‘The sample site is already offline; this could be a prelude to a bigger attack,'” Evers reports.

Evers reports, “The animated-cursors feature is designated by the .ani suffix, but a successful attack is not constrained by this file type, Microsoft said. As a result, simply blocking such files won’t protect a PC.”

Full article here.

Windows Vista ANI File Handling DoS:

Related articles:
National Security Agency gives Apple’s Mac OS X 10.4 Tiger glowing security endorsement – March 22, 2007
Lack of Apple Mac malware baffles expert – March 21, 2007
Microsoft’s Live OneCare ‘security’ failureware: dead last in test of 17 Windows security apps – March 07, 2007
Bill Gates has lost his mind: calls Apple liars, copiers; slams Mac OS X security vs. Windows – February 02, 2007
Security firm: 38-percent of malware already Windows Vista-compatible – January 22, 2007
FUD Alert: CNET tries to equate Windows’ insecurity to handful of Mac OS X proof-of-concepts – December 02, 2006
Microsoft’s Windows is inherently more vulnerable to severe malware than Apple’s Mac OS X – August 23, 2006
Chicago Tribune falls for the ‘Security Via Obscurity’ myth – August 14, 2006
Symantec details more security holes in Microsoft’s Windows Vista – July 26, 2006
Symantec researcher: At this time, there are no file-infecting viruses that can infect Mac OS X – July 13, 2006
Sophos: Apple Mac OS X’s security record unscathed; Windows Vista malware just a matter of time – July 07, 2006
Gartner analyst tries to propagate discounted Mac OS X ‘security via obscurity’ myth via BBC – July 06, 2006
Sophos Security: Dump Windows, Get a Mac – July 05, 2006
Security company Sophos: Apple Mac the best route for security for the masses – December 06, 2005
Apple Macs are inherently safer and more secure than Microsoft Windows – November 22, 2005
BusinessWeek columnist propagates discounted ‘Apple Mac security via obscurity myth’ – September 06, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs – June 15, 2005
Another columnist trots out Mac OS X ‘Security through Obscurity’ myth – April 03, 2004
Columnist tries the ‘security through obscurity’ myth to defend Windows vs. Macs on virus front – October 01, 2003
Shattering the Mac OS X ‘security through obscurity’ myth – August 28, 2003
Virus and worm problems not just due to market share; Windows inherently insecure vs. Mac OS X – August 24, 2003

69 Comments

  1. AND, in any case, it was *again* a vulnerability of the *fishing* kind, where the user has to take action, not just browsing and happening to be in a malware web page and BOUM, you are pwnd.

    In an ER room there could be many patients with broken bones. Mac OS X (as any other OS) can have a little finger fractured. Windows always end up with broken spine and exposed multi-fractured legs and a cranial trauma.

    This of malware affecting Vista as well will soon become old news. Windows is a patched over-patched OS, an onion-developed spaghetti code. Brake one, you are almost sure you break them all.

    Stop calling it Vista. It is just XP SP3 with some eye candy.

  2. “There is no need to do this. Fixed way long ago. You run the updates that Apple releases, right? OR you keep an unpatched Mac OS X 10.0 so to show that it is vulnerable?”

    You run the updates that Microsoft releases, right? Or you run an unpatched Windows 98? As of this writing OS X has 7 unpatched vulnerabilities:
    http://secunia.com/product/96/?task=advisories

    Where’s the patches for those?

    Apple simply doesn’t have enough market share to generate any interest in exploiting them on a widescale basis. Mac users, by and large, live with their head in the sand thinking their precious OS X is flawless. It’s not. In fact it’s no better or no worse than Windows. Windows just gets all the press – especially from the anti-Microsoft crowd. This “big news” here on MDN doesn’t even make the status of break-room talk in corporate IT.

    Mac users are very good at making mountains out of molehills, because that’s all their operating system is is a molehill in the shadow of the Great Microsoft Mountain.

  3. @Reality Check

    “Safari shell script auto-execution vulnerability”

    OK, there was a vulnerability (ID’d by an anti-virus company) that “could” be used to delete a user’s home folder. Can you point to any real world exploits using this vulnerability?

    Oh, and “MDN edited my instructions off the forum on how to block the ads on this site and cut them off from their ad revenue. Pissing me off is the wrong thing to do…It’s high time somebody convince MDN to get back to being Mac Daily News instead of Microsoft Daily News.” Wow! Why do you stick around this site? The www is a big place. Surely there’s another site that would welcome your enlightened insights.

  4. > Yeah, and only Apple could have insecure shell scripts disguised as JPG’s, PDF’s, MP3’s, and what have you. Remember that one?

    No, because even if somebody was dumb enough run one of those, the exploit can only affect the user’s account. Even I could probably write an AppleScript file that did something the user does not intend. If that’s your definition of Mac OS X “malware” and if that’s the best hackers can do to “exploit” Mac OS X, I’ve never felt more secure.

    MDN reports these stories because they are amusing to Mac users. Keep on reporting them MDN…

  5. The MP3 “Trojan Horse” proof of concept? It was Intego trying to drum up custom by spreading fear about nothing. Assuming that I did download a file from an untrusted source on the Internet–why the hell would I do that?–I could see in the Finder that it was a program and not a file despite the icon. What a load of drivel!

  6. Reality Check, you really need one yourself!

    Are you trying to tell us that OS X is only secure becuase no one uses it? HAHA! You are a complete sucker!

    Best FUD I’ve ever read, thanks for the chuckles, now get back to your anti-virus scanning you fool!

    MW: increase, as in Vista Viruses are on the increase!

    Reality Check = Village Idiot

  7. Reality, you truly need a reality check. Vulnerabilities are not the same as exploits. A vulnerability can be so remote, requires so peculiar conditions to be impossible to become a problem for large user base. Mac OS X as over 20 million users. You truly believe that an exploit able to affect 20 million users is not news?

    Windows is pwnd and make the news when hundred thousands users get affected. Certainly it will be as easy to do that on a 20 million user base, if possible?

    The problem is not exploits that require active intervention from users to be of any harm (this could happen with any OS) but exploits that take place JUST because your computer is switched on. That does not happen because there are many machines but it happens because there are many machines that have an exploitable problem.

    You truly sound like a Windows fanboy and you probably are. Mac OS X have been put on test publicly with thousands of experts, not casual users, trying to break remotely into a vanilla installation of Mac OS X and not able to bring havoc to it. The machine was sustaining 30 MBs external attacks, over 4000 attempts in one hour, the ipwf log grew with a pace over 40MB per hour and finally contained 6 (SIX) million remote attempts. This was AFTER the so-called “Mac broke into in less than 30 seconds” idiotic FUD and meant as an answer to it. Yes, there are/can be local privilege escalation vulnerabilities; likely some that are “unpublished”. But this machine was not hacked from the outside just by being on the Internet.

    So far any Mac that was hacked was from within, by someone who was allowed to have a local account on the box. That is a huge distinction.

    It takes a script kiddie to do the same on Windows.

    If you consider that “no better or no worse than Windows” you truly are brainwashed. I can’t feel sorry for you because I consider users suffering from being on WIndows having just what they deserve for not being truly informed or be too gullible to realize they are brainwashed.

    PS
    Have you already downgraded to Vista?

  8. i dont get any ads using Safari, so what the hells your problem?

    oh and i really like these microsoft fanboys who come to a mac forum and bitch about MDN reporting anything about microsoft because the report shows how pathetically insecure windows is, and have to resort to telling fud about the mac in return.

    GET OVER IT MORON, WINDOWS IS A CRAP, INSECURE OS. WHEN WILL YOU LEARN ?

    but please be my guest, keep on defending the microsoft pile zune till it eventually decomposes.

  9. Mac OS X is not invulnerable. It, like any other operating system, has security deficiencies in various aspects of the software. Some are technical in nature, and others lend themselves to social engineering trickery. However, the general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system.

    There have been serious vulnerabilities [secunia.com] in Mac OS X that could be taken advantage of; however, most Mac OS X “vulnerabilities” to date have relied on typical trojan social engineering tactics, not genuine vulnerabilities. The recent Safari vulnerability [secunia.com] was promptly addressed by Apple, as are any exploits reported to Apple [apple.com].

    Apple does a fairly good job with regard to security, and has greatly improved its reporting processes after pressure from institutional Mac OS X users: Apple is responsive to security concerns with Mac OS X, which is one of the most important pieces of the security picture.

    If you can’t see that nor understand it you are in trouble. As are in trouble all Windows users, by the way.

    Cheers

  10. @Reality Check

    “the pathetically small Mac user-base”

    Not so pathetically small. Interesting too that Safari use has tripled in the past 12 months according to http://thecounter.com.

    Apple’s latest growth figures are very impressive. Admittedly they are coming off a low base, but you cannot discount that the switch to Intel has breathed new life into the Mac.

    When is small no longer pathetically small?

    And which user base are you talking about? In the home market the Mac seems to be gaining market share very rapidly indeed.

    Ditto for the notebook marketplace.

    Can I suggest you leave the emotional language out of your posts?

  11. @Reality Check

    “Pissing me off is the wrong thing to do – I’ll post the instructions…”

    Now that we’re all quaking in fear, perhaps you’ll take your ball and go home.

    (Psst! Don’t tell RC that it’s not “quaking with fear” but rather “shaking with supressed laughter”. Maybe he’ll say “my job here is done”, hitch up his super-hero tights and wander off in search of another forum to “save”)

  12. The Mac should theoretically have 3% or 4% of malware out there, instead it has 0%. Don’t tell me it’s because hackers can’t be bothered – what Mac-basher wouldn’t love the chance to bring Apple down a peg or two (and take the credit for being the first)?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.