VD (Vulnerability Disease)

Microsoft Security Advisory (935423) – Vulnerability in Windows Animated Cursor Handling

This is a very serious vulnerability that is almost certainly to be exploited on a wide scale basis. If the vulnerability were limited to animated cursors alone it would not be as serious, but there are reports of jpg files, which are very commonly used in web pages, being exploited as well. The result is that by simply going to a web site a user’s computer can be completely compromised. In excess of 200 million Windows users are likely to be at risk. Even legitimate web sites present potential danger to users who follow best practice guidelines for web browsing. In January the Miami Dolphin’s Super Bowl web site was compromised and malicious software was placed there. This type of attack exposes even fairly sophisticated users to “drive by” attacks that can compromise their computers. For web browsing, the use of virtualization technologies such as SandboxIE (www.sandboxie.com) can afford some protection, however email remains a potential attack vector. Forcing Outlook to render email in plain text is a mitigating tactic, but Outlook Express remains vulnerable to attack even when configured to render email in plain text.

Having worked with (not in) the Microsoft Security Response Center (MSRC) in vulnerability report scenarios whiled employed at MS, I can tell you that the MSRC will be in high gear and working around the clock with a variety of teams at Microsoft. Microsoft and their customers cannot afford to wait until the scheduled April 10th patch day if they can possible release a fix sooner. I am certain the appropriate people at Microsoft are acutely aware of how bad this threat is and the damage potential it presents to both consumers and Microsoft.

ESET, Microsoft, and a host of other vendors have release detection for the malware associated with the vulnerability, however new variations of the exploit code are expected. Regardless of the security products used, email from unknown users should be promptly deleted, Outlook should be configured to display email in plain text, and care should be taken to visit only web sites that user have reason to believe are trustworthy.

For more information the following organizations have posted details and advice as well.



Randy Abrams
Director of Technical Education


Author , ESET

  • umm – your sandboxie link is borked… it’s spelled right in the anchor text (so people can copy-n-paste into the address bar if they want) but the actual link is missing a “d”…

  • Randy Abrams

    Right you are. I just fixed that. I had discovered the typo and fixed in, but I didn’t realize that the editor did not fix the “href”. This is most excellent, now I can easily show why you always type in links instead of clicking on them when you aren’t at a trusted site :)

    Thanks a million Kurt!

  • NOD32 Fan

    I have noticed that the last two independent tests, one for AV-Comparatives (latest on demand), and Virus Bulletin (April test for Linux), for NOD32 have not been the best examples of your stellar reputation.

    Is something to blame for not passing both tests with flying colors as you usually do?

    Just a bit concerned is all. Your product has always been the best, and I will be a customer for life.

  • In fact, SBIE is not a “virtualization technologie” (pure virtualization technologie is VirtualPC or VMWare, for instance), it is sandbox HIPS with virtualization implementation alongside with DefenseWall HIPS, BufferZone, GreenBorder, Virtual Sandbox, GeSWall… Lets be exact in terminology!

  • Randy Abrams

    In response to “NOD32 Fan”

    The interesting thing here is in one test the problem is not enough false positives and the other is one single false positive!

    With the AV comparatives test we missed their Advanced + level by .3%. As it turns out, upon examination of the missed files, there were several (like 1,000) that were broken. Technically speaking the products that detected these samples were false positiving, or detecting files that were not harmful. That said there were a number of real samples that we missed as well. There was also a change to the testing this time around. In the past a significant portion of DOS samples were in the test (we still have a DOS scanner). With the older format we would have easily gained the Advanced + level, and I am sure we will again. The unfortunate side affect as tests, such as these, is that we are forced to put more priority on what a tester manages to collect without regard for threat level, instead of the threats we know that customers are facing. In today’s environment, treats that are a month old are often not threats any more. They were sent out on a one time basis, the infrastructure required for them to work is gone, and they are no longer able to harm anyone. Either you detected them or you didn’t. Adding detection later makes you look good, but you didn’t actually help anyone.

    In the Virus Bulletin test, we did not miss a single “in-the-wild� virus. This test was on Linux and the VB100 was denied because of a single false positive on a 1991 DOS file. At that, the detection was labeled as “suspicious�. In the past, product that have detected files as “suspicious� have not been denied a VB100 award, so we are talking to the testers at VB to get some clarification and make sure that everyone is tested with exactly the same standards. VB, in particular, makes very strong efforts to ensure fairness and consistency.

    The keys to both of these tests are to understand what the tests mean, and to use the tests as part of a historical context. The VB100 is a certification. Regardless of how good your detection is, if they deem you have a single false positive then you don’t get the award. In this case, how important is labeling an old DOS file as “suspicious� to you while running a Linux Server? In this of concern to you? Maybe yes, maybe no? History is very important. How well has a product performed historically. A single test generally will not tell you very much, but if you look at a series of tests you begin to see how well the developers are doing overall. If you see three tests in a row that measure actual detection (VB100 does not do this, but VB tests do) and you see a product is performing better or worse than they have over the past few years, then you may be spotting a trend. The trends and consistency are what is important in evaluating anti-virus software. The only way to do this effectively though is to understand the natures of the tests and what the tests mean. Things like a VB100 or an AV-Comparatives Advanced + are meaningless by themselves. The certifications do not give important details. The value of these certifications is in the historical perspective “at a glance�.

    One other note about certifications… All they do is indicate that a product met specific and arbitrary criteria. To sell a car in the USA it must be pass a certification test by the Department of Transportation. Does that mean that all certified cars are equally safe? Of course not!

  • Randy Abrams

    In response to “Ilya Rabinovich”

    > In fact, SBIE is not a “virtualization technologie�
    > (pure virtualization technologie is VirtualPC or VMWare,
    > for instance), it is sandbox HIPS with virtualization implementation
    >alongside with DefenseWall HIPS, BufferZone, GreenBorder, Virtual
    > Sandbox, GeSWall… Lets be exact in terminology!

    HIPS (Host-based Intrustion Prevention System) is not a single technology. A Sandbox is, or can be a type of virtualization techology. A sandbox HIPS is a virtualization techonology. At no time did I say that it was a virtual PC, and I certainly did not mean to imply it was – it isn’t. It can be difficult to use exact terminology in a field where the definitions/uses of the terms frequently change, but I think that it is generally accepted that sandboxing is a type of virtualization and therefore correct to refer to SandoxIE, and the other systems you mentioned, as virtualization technologies. A bicycle is a transportation vehicle, even if it is not a car :)

  • 2 Randy Abrams.

    Well, first of all- I suggest you read our comment-beased conversation with Kurt Wismer [url]http://anti-virus-rants.blogspot.com/2006/12/what-virtualization-can-and-cannot-do.html
    [/url]. Then, whan you will understand all the things mentioned there, you will understand that sandboxing and virtualization are very different things. SBIE is a sandbox HIPS with registry and file system virtualization, alongside with BufferZone and GreenBorder. GeSWall is a sandbox HIPS with full registry virtualization, without file system one. My DefenseWall HIPS is a sandbox HIPS without file system virtualization and with very limited registry one (almost all its protection is policy-based).

    As about HIPS- there thee types of it- classical, expert and sandbox, thus, yes, it is not a single technologie. I know that as I am a DefenseWall HIPS developer :)

  • Randy Abrams

    >Then, whan you will understand all the things mentioned there, you will
    > understand that sandboxing and virtualization are very different things.

    I understand that you believe them to be very different things. I do not believe your definitions are definitive though :) SandBoxIE is a sandboxing technology to that uses file system and registry virtualization. Hence it is a virtualization technology as well.

    I understand that in DefenseWall you virtualize part of, but not the entire sandbox. It appears to be an interesting and effective approach. I’ll have to give the product a try. Gizmo’s results at http://www.techsupportalert.com/security_HIPS.htm are quite impressive!

  • “Hence it is a virtualization technology as well”. Yup, but, you know, VMWare is a hardware virtualization tool too. But it is not HIPS at all! You see, it is very important to separate HIPS tools that using sandboxing and virtualization from hardware virtualization tools (that using file system and registry virtualization too) that are not a HIPS at all. If you call SBIE “virtualization tool”, many people could be confused as they don’t understand the difference between SBIE virtualization and VMWare virtualization. That is why I always call SBIE, GreenBorder, BufferZone, GeSWall, DefenseWall in one term- sandbox HIPS as their protection model is based on process separation, threat gates control and system’s sensitive places defense (wherever with policy-based restrictions or virtualization).

    As about DefenseWall virtualization- there is only limited one for registry. Other registry and file system defense is policy-based. Why it is architectured this way. The main idea of DW is to be as user-friendly as possible (for HIPS, I mean). File system virtualization is quite hard for everyday use (as I believe). As abour registry one- well, it is a security hole. Why? I just read some posts at forums and I perfectly understand that many users will be afraid to erase virtualization container that is contains some important data (some users keep it untouched for half an year, at least). Meanwhile, malware may virtualy modify BHO zone (for instance) and silently spy for user as IE will be using virtualized copy of BHO, not the real one. Balance between defense strength and everyday usability is the most important thing!

Follow us

Copyright © 2017 ESET, All Rights Reserved.