| FNAL Critical Vulnerability Platform: Windows Product: Internet Explorer/HTML email Exploitation: Vulnerability in Animated Cursors Patch By: As soon as a Microsoft patch is available An unpatched vulnerability exists in Internet Explorer and products which use the IE engine to render HTML (such as Microsoft Outlook). This vulnerability exploits a flaw in the Animated Cursor handlers. An Animated Cursor is a visual change in your mouse pointer when you visit a web site, read HTML email or apply new system Themes. Many web sites change the mouse cursor to fit the design of their site, and users may download new animated cursors to personalize their desktop. An attacker can invoke malicious code to change your mouse cursor while visiting a web site, or offer it in a Theme or stand-alone download to be applied system wide. This malicious cursor file can then be used to exploit your system. Since there are numerous blog, forum and other web sites which allow non-trusted users to define custom cursors (e.g. MySpace), and DOE has captured some malicious files sent via email, this is declared Critical by FNAL Computer Security. No patch yet exists, and there are some 'shims' or 3rd party patches available (use at your own risk!!!), you should be prepared to deploy a patch once it is available from Microsoft. Microsoft reference URL: http://www.microsoft.com/technet/security/advisory/935423.mspx |
|
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by JK on Jan 12, 2007. (Address comments about page to the Computer Security Team.) |