Discussion:
Windows 9x and the ANI (animated cursor) vulnerability
(too old to reply)
98 Guy
2007-04-04 00:20:06 UTC
Permalink
Macro$haft issued a fix for this item back in 2005 (I think) but it
only addressed half of the potential vulnerability (ie it was only a
half-baked solution).

What I'm not clear on is if Win-9x has any built-in associations for
these ANI files. I've searched my system and can't find any .ani
files (should I?).

Zert has a webpage containing a benign version of the ani exploit that
will crash your system if it's vulnerable:

(warning - don't click on this link unless you are prepared to
re-start your system)

http://zert.isotf.org/tests/testani.htm

I've tried it from a few win-98 machines and they aren't affected by
the exploit (in other words, my win-98 systems don't crash).

I don't think win-98 has any built-in associations for .ANI files (and
I don't have any ani files on my system).

The webpage above contains xpsp2_2180.jpg and xpsp2_2622.jpg. They
appear (internally) to identify themselves as "RIFF" files (Resource
Interchange File Format). When submitted to Virus Total, those files
are identified as various forms of ANI exploits (viral, trojan, etc).

If an OS doesn't have any built-in association for .ani (or .riff?)
files, then I can't see how the exploit can work.

Keep in mind that MS has often (in the past) lumped Win-9x into lists
of OS's that were vulnerable to this or that exploit when in fact they
weren't.

Details:

Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
* Description:
* A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack
* overflow error within the "LoadAniIcon()" [user32.dll] function
* when rendering cursors, animated cursors or icons with a
* malformed header, which could be exploited by remote attackers
* to execute arbitrary commands by tricking a user into visiting
* a malicious web page or viewing an email message containing a
* specially crafted ANI file.

I've just looked at user32.dll with dependency walker and don't see a
"LoadAniIcon" in the function list.
PCR
2007-04-04 22:26:48 UTC
Permalink
98 Guy wrote:
| Macro$haft issued a fix for this item back in 2005 (I think) but it
| only addressed half of the potential vulnerability (ie it was only a
| half-baked solution).
|
| What I'm not clear on is if Win-9x has any built-in associations for
| these ANI files. I've searched my system and can't find any .ani
| files (should I?).

Maybe. Most of mine are in the Desktop Themes & are animated cursor
icons...

To install Desktop Themes, if they are not already in the Control Panel
or in the START menu...
1. START, Settings, Control Panel, Add/Remove Programs, Windows Setup
tab.
2. Check "Desktop Themes"; click "Details"; check the themes you want;
"OK" twice.
3. Perhaps, re-boot.

Some themes require "high color". To get "high color"...
1. Right click the Desktop & select Properties
2. Click the "Settings" tab
3. Use the "Colors" dropdown menu to select "high color"
4. Be prepared. It may ask your permission to restart the computer.

That will get its stuff out of the Windows Inatallation Cabinet
WIN98_59.CAB, if you are Win98SE. I don't know where they would be, if
you are FE. And I guess it could be FE doesn't have them at all.

BUT three of mine are outside the Desktop Themes folders, & two of those
are fairly old...

C:\>DIR C:\WINDOWS\CURSORS\*.ani
GLOBE ANI 6,300 08-29-02 7:14a GLOBE.ANI
APPSTART ANI 8,274 04-23-99 10:22p APPSTART.ANI
HOURGLAS ANI 12,144 04-23-99 10:22p HOURGLAS.ANI
3 file(s) 26,718 bytes

I think you should have them, (though possibly not if FE). I don't see
where/how they are separately got like the Themes can be. Here is the
.cab that has them in Win98SE. I guess Globe.ani later was updated with
an IE Cumulative Update...

Cabinet WIN98_21.CAB
04-23-1999 10:22:00p A--- 8,274 appstart.ani
04-23-1999 10:22:00p A--- 6,300 globe.ani
04-23-1999 10:22:00p A--- 12,144 hourglas.ani

Those all belong in C:\WINDOWS\CURSORS, & they are not hidden/system
files. Do you have that folder?

| Zert has a webpage containing a benign version of the ani exploit that
| will crash your system if it's vulnerable:
|
| (warning - don't click on this link unless you are prepared to
| re-start your system)
|
| http://zert.isotf.org/tests/testani.htm
|
| I've tried it from a few win-98 machines and they aren't affected by
| the exploit (in other words, my win-98 systems don't crash).
|
| I don't think win-98 has any built-in associations for .ANI files (and
| I don't have any ani files on my system).

Nope-- there is no association for them on a stock machine. And QuikView
doesn't know how to run them, either, but will only open them for
reading. It's unreadable, though, except for the first line, which also
can be seen in Notepad...

RIFFJ ACONLISTZ INFOINAM Application Starting Hour Glass IART&
Microsoft Corporation, Copyright 1995

But associations are only for OUR benefit to have a file be executed or
read by an app of our choice BY clicking the file. It has nothing to do
with whether other apps can run the file on their own-- they don't need
an association!

HOWEVER, you can see .ani files run or be displayed this way... R-Clk
one in Explorer or a Find window, & select Properties. The icon will
animate in the Properties box. That half-baked solution of MS did not
prevent it!

| The webpage above contains xpsp2_2180.jpg and xpsp2_2622.jpg. They
| appear (internally) to identify themselves as "RIFF" files (Resource
| Interchange File Format). When submitted to Virus Total, those files
| are identified as various forms of ANI exploits (viral, trojan, etc).
|
| If an OS doesn't have any built-in association for .ani (or .riff?)
| files, then I can't see how the exploit can work.

Associations have nothing to do with it. They only determine what app
will open a file of a particular extension (like .ani)-- when WE click
on the file! Other apps can always run the .ani on their own.

| Keep in mind that MS has often (in the past) lumped Win-9x into lists
| of OS's that were vulnerable to this or that exploit when in fact they
| weren't.

I can't recall the details on this particular vulnerability. If there
was a half-baked solution to this one (& I do seem to nearly recall it),
I certainly took it. (I've taken them all.) And it certainly hasn't
prevented the animated icons from working at all. I see them all the
time!

| Details:
|
| Windows .ANI LoadAniIcon Stack Overflow
| * [CVE-2007-1765]
| *
| * Description:
| * A vulnerability has been identified in Microsoft Windows,
| * which could be exploited by remote attackers to take complete
| * control of an affected system. This issue is due to a stack
| * overflow error within the "LoadAniIcon()" [user32.dll] function
| * when rendering cursors, animated cursors or icons with a
| * malformed header, which could be exploited by remote attackers
| * to execute arbitrary commands by tricking a user into visiting
| * a malicious web page or viewing an email message containing a
| * specially crafted ANI file.
|
| I've just looked at user32.dll with dependency walker and don't see a
| "LoadAniIcon" in the function list.

I don't know, but that may only show functions that are currently loaded
or running. I checked every .dll I've got this way...

"START button, Find, F/F"
Named: *.dll
Containing text: LoadAniIcon

..., & NONE of them had it! Ah, ha, ha!
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
***@netzero.net
98 Guy
2007-04-05 00:23:12 UTC
Permalink
Post by PCR
| What I'm not clear on is if Win-9x has any built-in associations
| for these ANI files. I've searched my system and can't find
| any .ani files (should I?).
Maybe. Most of mine are in the Desktop Themes & are animated
cursor icons...
Ok, yes I do have them. 96 to be exact, located in

- c:\windows\setup
- c:\windows\setup\resource kit\apps\imagine_le\qp\animate
- c:\windows\cursors (3 ani files)
- c:\program files\Plus!\themes
- 5 more located in \adaptec, \IEAK, a few others

All of them are being rendered with their own individual (but static)
thumbnail except for the ones in \resource kit\ (those are shown with
the standard windows thumbnail for unknown file type). Those in
particular do not start with "RIFF" but all others do.

My system is calling these "ACDSee ANI Image" files and ACDSee is
launched when these files are double-clicked (and they are animated
when viewed by ACDSee).
Post by PCR
BUT three of mine are outside the Desktop Themes folders, & two
of those are fairly old...
C:\>DIR C:\WINDOWS\CURSORS\*.ani
GLOBE ANI 6,300 08-29-02 7:14a GLOBE.ANI
APPSTART ANI 8,274 04-23-99 10:22p APPSTART.ANI
HOURGLAS ANI 12,144 04-23-99 10:22p HOURGLAS.ANI
3 file(s) 26,718 bytes
Yes, I have the same 3 (and only those 3) in my \cursors\ directory.
Post by PCR
Nope-- there is no association for them on a stock machine.
And QuikView doesn't know how to run them, either, but will
only open them for reading. It's unreadable, though, except
for the first line, which also can be seen in Notepad...
What thumbnail icon is your OS showing for those .ANI files, and how
is it describing them in the file "Type" column?
Post by PCR
The icon will animate in the Properties box.
Yes, I see that.
Post by PCR
| Windows .ANI LoadAniIcon Stack Overflow
| * [CVE-2007-1765]
| *
| * This issue is due to a stack overflow error within the
| * "LoadAniIcon()" [user32.dll] function when rendering cursors
|
| I've just looked at user32.dll with dependency walker and
| don't see a "LoadAniIcon" in the function list.
I've just downloaded the win-2K fix from MS from here:

http://tinyurl.com/27hgax

And yes it is basically just an updated version of user32.dll.

But I DON'T see "LoadAniIcon" anywhere in the file, nor in the
Dependancy Walker function list.

So what's the deal here?
Lee
2007-04-05 03:14:01 UTC
Permalink
Post by 98 Guy
Post by PCR
| What I'm not clear on is if Win-9x has any built-in associations
| for these ANI files. I've searched my system and can't find
| any .ani files (should I?).
Maybe. Most of mine are in the Desktop Themes & are animated
cursor icons...
Ok, yes I do have them. 96 to be exact, located in
- c:\windows\setup
- c:\windows\setup\resource kit\apps\imagine_le\qp\animate
- c:\windows\cursors (3 ani files)
- c:\program files\Plus!\themes
- 5 more located in \adaptec, \IEAK, a few others
All of them are being rendered with their own individual (but static)
thumbnail except for the ones in \resource kit\ (those are shown with
the standard windows thumbnail for unknown file type). Those in
particular do not start with "RIFF" but all others do.
My system is calling these "ACDSee ANI Image" files and ACDSee is
launched when these files are double-clicked (and they are animated
when viewed by ACDSee).
Post by PCR
BUT three of mine are outside the Desktop Themes folders, & two
of those are fairly old...
C:\>DIR C:\WINDOWS\CURSORS\*.ani
GLOBE ANI 6,300 08-29-02 7:14a GLOBE.ANI
APPSTART ANI 8,274 04-23-99 10:22p APPSTART.ANI
HOURGLAS ANI 12,144 04-23-99 10:22p HOURGLAS.ANI
3 file(s) 26,718 bytes
Yes, I have the same 3 (and only those 3) in my \cursors\ directory.
Post by PCR
Nope-- there is no association for them on a stock machine.
And QuikView doesn't know how to run them, either, but will
only open them for reading. It's unreadable, though, except
for the first line, which also can be seen in Notepad...
What thumbnail icon is your OS showing for those .ANI files, and how
is it describing them in the file "Type" column?
Post by PCR
The icon will animate in the Properties box.
Yes, I see that.
Post by PCR
| Windows .ANI LoadAniIcon Stack Overflow
| * [CVE-2007-1765]
| *
| * This issue is due to a stack overflow error within the
| * "LoadAniIcon()" [user32.dll] function when rendering cursors
|
| I've just looked at user32.dll with dependency walker and
| don't see a "LoadAniIcon" in the function list.
http://tinyurl.com/27hgax
And yes it is basically just an updated version of user32.dll.
But I DON'T see "LoadAniIcon" anywhere in the file, nor in the
Dependancy Walker function list.
So what's the deal here?
Believe it or not, the File Type method of investigating file
associations is an 'interpreted' view using a Windows Gui to do the
looking for you. The REAL file association method comes from the
registry directly - to wit:

HKEY_CLASSES_ROOT\_period_ani - eg. the extension of .ani file
types....
[HKEY_CLASSES_ROOT\.ani]
@="anifile"

The above value tells us where to go next to find the actual
association as per the default action, program, and program location
typically. And that would be the "anifile" section just a bit further
down like so:

[HKEY_CLASSES_ROOT\anifile]
@="Animated Cursor"

[HKEY_CLASSES_ROOT\anifile\DefaultIcon]
@="%1"

To have a default Icon path pointing at the .ani file itself (1%) is a
quite unique entry and I figure that the automatic extraction of the
icon itself allows the evil code to work and thus cause the
problem(s). So we DO have 'kind' of an association right here, but
one could never see it as such using the File Type method of
investigating file associations. I prefer the direct method myself,
but am not averse to using built in features like File Types when it
will do the job for me.


When I use Dependency Walker on my own 4/23/99 user.dll (Win98se) file
I find:
LoadIconW - right clicked and searched for on msdn.com results in:

LoadIcon Function ()
The LoadIcon function loads the specified icon resource from the
executable (.exe) file associated with an application instance.

You should interpret the above to mean that the Icon is extracted from
the 'DefaultIcon' entry location as listed in the registry which is
most often the associated program's .exe file itself. But NOT always
is it so, as in this very particular case of .ani files.

Can I suggest that the LoadAniIcon Function name to be so much MS
hogwash and that the real name for the function IS LoadIcon instead?
Things like this happen late at night when an overworked MS tech
writing web pages on into the night is running low on coffee sometimes
- we could give them a break and overlook it.

Please keep in mind whole lot of problems come about immediately when
reading MS pages verbatim without a LOT of leeway, skepticism, common
sense, and outright forgiveness very much in play. My current
favorite is the incrediable, unknown before the year 2000, Windows 98
Standard Edition. There never WAS such a creature, there was only
Gold and Second Edition 98s. Some damned MS webpage idot mis-
interpreted the letters SE and everybody knows it!!!
98 Guy
2007-04-05 05:03:19 UTC
Permalink
Post by Lee
When I use Dependency Walker on my own 4/23/99 user.dll (Win98se)
LoadIcon Function ()
The LoadIcon function loads the specified icon resource from the
executable (.exe) file associated with an application instance.
Yes, I saw that (loadiconw) and I think there was also LoadIconA.
Post by Lee
Can I suggest that the LoadAniIcon Function name to be so much
MS hogwash and that the real name for the function IS LoadIcon
instead?
Well, it's being quoted all over the internet. Apparently nobody else
is checking.

Here's something interesting.

From this web-page:

http://www.rootkit.net.cn

(which I know looks dangerous)

I went here:

http://www.rootkit.net.cn/read.php?23

and downloaded this:

http://www.milw0rm.com/sploits/04012007-exp.zip

Funny thing about that. When you unzip it, it unzips to a directory
called exp. Inside \exp is about 103 files, all of them are .htm
files except for one file. It's called riff.ico.

(PS: where in the registry are riff files handled?)

Guess what happens the minute that you scroll to the point that
riff.ico becomes visible in the explorer window?

This program has performed an illegal operation and will
be shut down. Explorer caused a general protection fault
in module USER.EXE (yada yada yada).

All the .htm files contain the same content, and I suspect there are
100 of them so that you can watch the vulnerability in action. (!)

Here is (part) of the content of the htm files:

-------------------

..::[ jamikazu presents ]::..

Windows Animated Cursor Handling Exploit (0day) (Version3)

Works on fully patched Windows Vista
I think it is first real remote code execution exploit on vista =)

Tested on:
Windows Vista Enterprise Version 6.0 (Build 6000) (default
installation and UAC enabled)
Windows Vista Ultimate Version 6.0 (Build 6000) (default
installation and UAC enabled)
Windows XP SP2
(It also must to work on all nt based windows but not tested)

Update: It also bypass eeye security ani patch!

Author: jamikazu
Mail: ***@gmail.com

Bug discovered by determina (http://www.determina.com)

Credit: milw0rm,metasploit, SkyLined, http://doctus.net/

invokes calc.exe if successful

-------------------------

So I'd have to say that win-98 is indeed vulnerable to this exploit
(and it seems that so is Vista!) but at least I have a good test file
to use if I come across a solution.

Wow, this ANI thing could turn out to be real nasty...
MEB
2007-04-06 02:47:04 UTC
Permalink
"98 Guy" <***@Guy.com> wrote in message news:***@Guy.com...
| Lee wrote:
|
| > When I use Dependency Walker on my own 4/23/99 user.dll (Win98se)
| > file I find:
| > LoadIconW - right clicked and searched for on msdn.com results in:
| >
| > LoadIcon Function ()
| > The LoadIcon function loads the specified icon resource from the
| > executable (.exe) file associated with an application instance.
|
| Yes, I saw that (loadiconw) and I think there was also LoadIconA.
|
| > Can I suggest that the LoadAniIcon Function name to be so much
| > MS hogwash and that the real name for the function IS LoadIcon
| > instead?
|
| Well, it's being quoted all over the internet. Apparently nobody else
| is checking.
|
| Here's something interesting.
|
| From this web-page:
|
| http://www.rootkit.net.cn
|
| (which I know looks dangerous)
|
| I went here:
|
| http://www.rootkit.net.cn/read.php?23
|
| and downloaded this:
|
| http://www.milw0rm.com/sploits/04012007-exp.zip
|
| Funny thing about that. When you unzip it, it unzips to a directory
| called exp. Inside \exp is about 103 files, all of them are .htm
| files except for one file. It's called riff.ico.
|
| (PS: where in the registry are riff files handled?)
|
| Guess what happens the minute that you scroll to the point that
| riff.ico becomes visible in the explorer window?
|
| This program has performed an illegal operation and will
| be shut down. Explorer caused a general protection fault
| in module USER.EXE (yada yada yada).
|
| All the .htm files contain the same content, and I suspect there are
| 100 of them so that you can watch the vulnerability in action. (!)
|
| Here is (part) of the content of the htm files:
|
| -------------------
|
| ..::[ jamikazu presents ]::..
|
| Windows Animated Cursor Handling Exploit (0day) (Version3)
|
| Works on fully patched Windows Vista
| I think it is first real remote code execution exploit on vista =)
|
| Tested on:
| Windows Vista Enterprise Version 6.0 (Build 6000) (default
| installation and UAC enabled)
| Windows Vista Ultimate Version 6.0 (Build 6000) (default
| installation and UAC enabled)
| Windows XP SP2
| (It also must to work on all nt based windows but not tested)
|
| Update: It also bypass eeye security ani patch!
|
| Author: jamikazu
| Mail: ***@gmail.com
|
| Bug discovered by determina (http://www.determina.com)
|
| Credit: milw0rm,metasploit, SkyLined, http://doctus.net/
|
| invokes calc.exe if successful
|
| -------------------------
|
| So I'd have to say that win-98 is indeed vulnerable to this exploit
| (and it seems that so is Vista!) but at least I have a good test file
| to use if I come across a solution.
|
| Wow, this ANI thing could turn out to be real nasty...

That likely bypassed the eEye patch because you ran it locally... the patch
addresses only the issues when related to - QUOTE:

A patch is available from eEye which addresses the vulnerability. eEye's
patch works by preventing the loading of animated cursor icons from
fon-local locations, such as the Internet. As such, this patch does not
mitigate the vulnerability, only remote exploits. It can still be exploited
locally by file copying, transmission through a .ZIP archive file and so
forth.
END QUOTE

Well since your discussing things:
http://www.eeye.com/html/resources/downloads/other/index.html

Check out the ActiveX tool and the bootroot attack..
--
MEB
_______________
MEB
2007-04-06 05:45:38 UTC
Permalink
Oh, BTW, you did realize that the eEye ani vulnerability patch appears to
install the non-standard "ADD-IN" 98/ME Microsoft support for UNICODE into
the 98 system via unicows, didn't you? Best check the vulnerabilities/flaws
installed when using unicows...
A standard 98 system would have unicows dll in Media player; some Unicode
support in fonts, Word, registry, ... . And only if installed: Adobe Reader,
OE Quotefix, ...
Whereas, XP, 2000, and above [hence the increased NT vulnerability] have
full UNICODE base support built-in.

You MAY have increased the potential vulnerability in Win98 when you
installed the patch [depends upon how it was used/applied].

Where are your unicow dlls located?

What registry entries do you have for unicow?

unicows contains:

LoadBitmapA
LoadBitmapW
LoadCursorA
LoadCursorW
LoadCursorFromFileA
LoadCursorFromFileW
LoadIconA
LoadIconW
LoadImageA
LoadImageW
...
WNetAddConnectionA
WNetAddConnectionW
WNetAddConnection2A
WNetAddConnection2W
WNetAddConnection3A
WNetAddConnection3W
WNetCancelConnectionA
WNetCancelConnectionW
WNetCancelConnection2A
WNetCancelConnection2W
WNetConnectionDialog1A
WNetConnectionDialog1W
WNetDisconnectDialog1A
WNetDisconnectDialog1W
WNetEnumResourceA
WNetEnumResourceW
WNetGetConnectionA
WNetGetConnectionW
WNetGetLastErrorA
WNetGetLastErrorW
WNetGetNetworkInformationA
WNetGetNetworkInformationW
WNetGetProviderNameA
WNetGetProviderNameW
WNetGetResourceInformationA
WNetGetResourceInformationW
WNetGetResourceParentA
WNetGetResourceParentW
WNetGetUniversalNameA
WNetGetUniversalNameW
WNetGetUserA
WNetGetUserW
WNetOpenEnumA
WNetOpenEnumW
WNetUseConnectionA
WNetUseConnectionW
RegCloseKey
RegEnumValueA
RegOpenKeyExA
GetUserNameA
GetUserNameW
IsTextUnicode
RegConnectRegistryA
RegConnectRegistryW
RegCreateKeyA
RegCreateKeyW
RegCreateKeyExA
RegCreateKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegDeleteValueA
RegDeleteValueW
RegEnumKeyA
RegEnumKeyW
RegEnumKeyExA
RegEnumKeyExW
RegEnumValueW
RegLoadKeyA
RegLoadKeyW
RegOpenKeyA
RegOpenKeyW
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegQueryMultipleValuesA
RegQueryMultipleValuesW
RegQueryValueA
RegQueryValueW
RegQueryValueExA
RegQueryValueExW
RegReplaceKeyA
RegReplaceKeyW
RegSaveKeyA
RegSaveKeyW
RegSetValueA
RegSetValueW
RegSetValueExA
RegSetValueExW
RegUnLoadKeyA
RegUnLoadKeyW
...
WINSPOOL.DRV
OleUIAddVerbMenuW
OleUIBusyW
OleUIChangeIconW
OleUIChangeSourceW
OleUIConvertW
OleUIEditLinksW
OleUIInsertObjectW
OleUIObjectPropertiesW
OleUIPasteSpecialW
OleUIPromptUserW
OleUIUpdateLinksW
oledlg.dll
...

among numerous others...

I think you can see where there might bring increased vulnerabilities to
Win9X/ME...
--
MEB
http://peoplescounsel.orgfree.com/
BLOG - http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"
http://groups.google.com/group/the-peoples-law?hl=en - discussion group for
general aspects of Law verses the Peoples' of the world

"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as if
nothing had happen." Winston Churchill
Or to put it another way:
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________
Bill in Co.
2007-04-06 06:58:54 UTC
Permalink
Correct me if I'm missing something here, but I think it's a desirable thing
to have some unicode support for Win98SE, by having that unicows.dll
installed (in the windows\system directory), to at least allow some apps to
run on Win98SE that otherwise can't. (I can't remember which ones at this
point though!)
Post by MEB
Oh, BTW, you did realize that the eEye ani vulnerability patch appears to
install the non-standard "ADD-IN" 98/ME Microsoft support for UNICODE into
the 98 system via unicows, didn't you? Best check the
vulnerabilities/flaws
Post by MEB
installed when using unicows...
A standard 98 system would have unicows dll in Media player; some Unicode
support in fonts, Word, registry, ... . And only if installed: Adobe Reader,
OE Quotefix, ...
Whereas, XP, 2000, and above [hence the increased NT vulnerability] have
full UNICODE base support built-in.
You MAY have increased the potential vulnerability in Win98 when you
installed the patch [depends upon how it was used/applied].
Where are your unicow dlls located?
What registry entries do you have for unicow?
LoadBitmapA
LoadBitmapW
LoadCursorA
LoadCursorW
LoadCursorFromFileA
LoadCursorFromFileW
LoadIconA
LoadIconW
LoadImageA
LoadImageW
...
WNetAddConnectionA
WNetAddConnectionW
WNetAddConnection2A
WNetAddConnection2W
WNetAddConnection3A
WNetAddConnection3W
WNetCancelConnectionA
WNetCancelConnectionW
WNetCancelConnection2A
WNetCancelConnection2W
WNetConnectionDialog1A
WNetConnectionDialog1W
WNetDisconnectDialog1A
WNetDisconnectDialog1W
WNetEnumResourceA
WNetEnumResourceW
WNetGetConnectionA
WNetGetConnectionW
WNetGetLastErrorA
WNetGetLastErrorW
WNetGetNetworkInformationA
WNetGetNetworkInformationW
WNetGetProviderNameA
WNetGetProviderNameW
WNetGetResourceInformationA
WNetGetResourceInformationW
WNetGetResourceParentA
WNetGetResourceParentW
WNetGetUniversalNameA
WNetGetUniversalNameW
WNetGetUserA
WNetGetUserW
WNetOpenEnumA
WNetOpenEnumW
WNetUseConnectionA
WNetUseConnectionW
RegCloseKey
RegEnumValueA
RegOpenKeyExA
GetUserNameA
GetUserNameW
IsTextUnicode
RegConnectRegistryA
RegConnectRegistryW
RegCreateKeyA
RegCreateKeyW
RegCreateKeyExA
RegCreateKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegDeleteValueA
RegDeleteValueW
RegEnumKeyA
RegEnumKeyW
RegEnumKeyExA
RegEnumKeyExW
RegEnumValueW
RegLoadKeyA
RegLoadKeyW
RegOpenKeyA
RegOpenKeyW
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegQueryMultipleValuesA
RegQueryMultipleValuesW
RegQueryValueA
RegQueryValueW
RegQueryValueExA
RegQueryValueExW
RegReplaceKeyA
RegReplaceKeyW
RegSaveKeyA
RegSaveKeyW
RegSetValueA
RegSetValueW
RegSetValueExA
RegSetValueExW
RegUnLoadKeyA
RegUnLoadKeyW
...
WINSPOOL.DRV
OleUIAddVerbMenuW
OleUIBusyW
OleUIChangeIconW
OleUIChangeSourceW
OleUIConvertW
OleUIEditLinksW
OleUIInsertObjectW
OleUIObjectPropertiesW
OleUIPasteSpecialW
OleUIPromptUserW
OleUIUpdateLinksW
oledlg.dll
...
among numerous others...
I think you can see where there might bring increased vulnerabilities to
Win9X/ME...
--
MEB
http://peoplescounsel.orgfree.com/
BLOG - http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"
http://groups.google.com/group/the-peoples-law?hl=en - discussion group for
general aspects of Law verses the Peoples' of the world
"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as if
nothing had happen." Winston Churchill
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________
MEB
2007-04-06 16:20:47 UTC
Permalink
"Bill in Co." <***@earthlink.net> wrote in message news:O6T$***@TK2MSFTNGP06.phx.gbl...
| Correct me if I'm missing something here, but I think it's a desirable
thing
| to have some unicode support for Win98SE, by having that unicows.dll
| installed (in the windows\system directory), to at least allow some apps
to
| run on Win98SE that otherwise can't. (I can't remember which ones at
this
| point though!)

Ah, which ones; you mean those progs/apps that were actually created during
the transistional period. The 98 - XP application time period, when
applications were shoe-horned into Win9X/ME without the benefit of security
designed around UNICODE usage {Shall we review the number of XP/NT updates
that dealt and deal directly or indirectly with those issues, which were not
{and are not} provided to 9X/ME users?}?

Did you check for potential issues related to its installation/usage?

|
| MEB wrote:
| > Oh, BTW, you did realize that the eEye ani vulnerability patch appears
to
| > install the non-standard "ADD-IN" 98/ME Microsoft support for UNICODE
into
| > the 98 system via unicows, didn't you? Best check the
| vulnerabilities/flaws
| > installed when using unicows...
| > A standard 98 system would have unicows dll in Media player; some
Unicode
| > support in fonts, Word, registry, ... . And only if installed: Adobe
| Reader,
| > OE Quotefix, ...
| > Whereas, XP, 2000, and above [hence the increased NT vulnerability] have
| > full UNICODE base support built-in.
| >
| > You MAY have increased the potential vulnerability in Win98 when you
| > installed the patch [depends upon how it was used/applied].
| >
| > Where are your unicow dlls located?
| >
| > What registry entries do you have for unicow?

[unicow inclusions deleted]
--
MEB
http://peoplescounsel.orgfree.com/
BLOG - http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"
http://groups.google.com/group/the-peoples-law?hl=en - discussion group for
general aspects of Law verses the Peoples' of the world

"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as if
nothing had happen." Winston Churchill
Or to put it another way:
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________
Bill in Co.
2007-04-06 18:20:30 UTC
Permalink
Post by MEB
Post by Bill in Co.
Correct me if I'm missing something here, but I think it's a desirable thing
to have some unicode support for Win98SE, by having that unicows.dll
installed (in the windows\system directory), to at least allow some apps to
run on Win98SE that otherwise can't. (I can't remember which ones at this
point though!)
Ah, which ones; you mean those progs/apps that were actually created during
the transistional period. The 98 - XP application time period, when
applications were shoe-horned into Win9X/ME without the benefit of security
designed around UNICODE usage {Shall we review the number of XP/NT updates
that dealt and deal directly or indirectly with those issues, which were not
{and are not} provided to 9X/ME users?}?
Did you check for potential issues related to its installation/usage?
Actually, if memory serves me right, I think I did, and maybe I didn't
install the unicode installer pack, but some other application must have
installed some support for it, since I do have unicows. And I seem to
remember reading something, somewhere, about how, at least in some cases, it
could be problematic, in allowing some apps to install on a Win9x system
that it really shouldn't?? (or that could be problematic) - but I can't
really remember what it all was, now.

As for the so-called "security" issues, THAT is not an issue of concern for
me.
(In case you've forgotten, I haven't downloaded those so-called "security
updates" - as in, "thanks, but no thanks", but that's another, long, story)
Post by MEB
Post by Bill in Co.
Post by MEB
Oh, BTW, you did realize that the eEye ani vulnerability patch appears to
install the non-standard "ADD-IN" 98/ME Microsoft support for UNICODE into
the 98 system via unicows, didn't you? Best check the
vulnerabilities/flaws
Post by MEB
Post by Bill in Co.
Post by MEB
installed when using unicows...
A standard 98 system would have unicows dll in Media player; some Unicode
support in fonts, Word, registry, ... . And only if installed: Adobe Reader,
OE Quotefix, ...
Whereas, XP, 2000, and above [hence the increased NT vulnerability] have
full UNICODE base support built-in.
You MAY have increased the potential vulnerability in Win98 when you
installed the patch [depends upon how it was used/applied].
Where are your unicow dlls located?
What registry entries do you have for unicow?
[unicow inclusions deleted]
--
MEB
http://peoplescounsel.orgfree.com/
BLOG - http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"
http://groups.google.com/group/the-peoples-law?hl=en - discussion group for
general aspects of Law verses the Peoples' of the world
"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as if
nothing had happen." Winston Churchill
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________
MEB
2007-04-06 23:28:54 UTC
Permalink
"Bill in Co." <***@earthlink.net> wrote in message news:%***@TK2MSFTNGP06.phx.gbl...
| MEB wrote:
| > "Bill in Co." <***@earthlink.net> wrote in message
| > news:O6T$***@TK2MSFTNGP06.phx.gbl...
| >> Correct me if I'm missing something here, but I think it's a desirable
| thing
| >> to have some unicode support for Win98SE, by having that unicows.dll
| >> installed (in the windows\system directory), to at least allow some
apps
| to
| >> run on Win98SE that otherwise can't. (I can't remember which ones at
| this
| >> point though!)
| >
| > Ah, which ones; you mean those progs/apps that were actually created
| during
| > the transistional period. The 98 - XP application time period, when
| > applications were shoe-horned into Win9X/ME without the benefit of
| security
| > designed around UNICODE usage {Shall we review the number of XP/NT
updates
| > that dealt and deal directly or indirectly with those issues, which were
| not
| > {and are not} provided to 9X/ME users?}?
| >
| > Did you check for potential issues related to its installation/usage?
|
| Actually, if memory serves me right, I think I did, and maybe I didn't
| install the unicode installer pack, but some other application must have
| installed some support for it, since I do have unicows. And I seem to
| remember reading something, somewhere, about how, at least in some cases,
it
| could be problematic, in allowing some apps to install on a Win9x system
| that it really shouldn't?? (or that could be problematic) - but I can't
| really remember what it all was, now.

I think, should you once again check, that you'd find there was a big
*push* when XP came out by some to attempt to get 98 to support some of the
XP stuff, and to do so required unicows/UNICODE. Supposedly this was to
provide one of the elusive "magic bullets" {as if}. What was found was many
problems were associated with its general installation.. therefore programs
MIGHT install it for it's own use, but IIRC, it was not to be installed
otherwise. I found I downloaded it several times since it was originally
released [checking the dozen or so 2000-2006 CDROMS of downloads I have, its
even on my hard drive again for some reason though not installed], likely
tested it, but have no permanent record which likely meant there was already
enough available on the NET. Seem to remember a convo or three over on MSFN
or somewhere...

|
| As for the so-called "security" issues, THAT is not an issue of concern
for
| me.
| (In case you've forgotten, I haven't downloaded those so-called "security
| updates" - as in, "thanks, but no thanks", but that's another, long,
story)

Yeap, seems you've traveled there once or twice, or we have... most were
only for IE 6 and OE so unless you had them installed and used them, you
likely didn't need them anyway...

|
| >>
| >> MEB wrote:
| >>> Oh, BTW, you did realize that the eEye ani vulnerability patch appears
| to
| >>> install the non-standard "ADD-IN" 98/ME Microsoft support for UNICODE
| into
| >>> the 98 system via unicows, didn't you? Best check the
| vulnerabilities/flaws
| >>> installed when using unicows...
| >>> A standard 98 system would have unicows dll in Media player; some
| Unicode
| >>> support in fonts, Word, registry, ... . And only if installed: Adobe
| Reader,
| >>> OE Quotefix, ...
| >>> Whereas, XP, 2000, and above [hence the increased NT vulnerability]
have
| >>> full UNICODE base support built-in.

[more stuff cut]
--
MEB
http://peoplescounsel.orgfree.com/
BLOG - http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"
http://groups.google.com/group/the-peoples-law?hl=en - discussion group for
general aspects of Law verses the Peoples' of the world

"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as if
nothing had happen." Winston Churchill
Or to put it another way:
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________
Bill in Co.
2007-04-07 02:26:54 UTC
Permalink
Post by MEB
Post by Bill in Co.
Post by MEB
Post by Bill in Co.
Correct me if I'm missing something here, but I think it's a desirable
thing to have some unicode support for Win98SE, by having that
unicows.dll
Post by MEB
Post by Bill in Co.
Post by MEB
Post by Bill in Co.
installed (in the windows\system directory), to at least allow some apps to
run on Win98SE that otherwise can't. (I can't remember which ones at this
point though!)
Ah, which ones; you mean those progs/apps that were actually created during
the transistional period. The 98 - XP application time period, when
applications were shoe-horned into Win9X/ME without the benefit of security
designed around UNICODE usage {Shall we review the number of XP/NT updates
that dealt and deal directly or indirectly with those issues, which were not
{and are not} provided to 9X/ME users?}?
Did you check for potential issues related to its installation/usage?
Actually, if memory serves me right, I think I did, and maybe I didn't
install the unicode installer pack, but some other application must have
installed some support for it, since I do have unicows. And I seem to
remember reading something, somewhere, about how, at least in some cases, it
could be problematic, in allowing some apps to install on a Win9x system
that it really shouldn't?? (or that could be problematic) - but I can't
really remember what it all was, now.
I think, should you once again check, that you'd find there was a big
*push* when XP came out by some to attempt to get 98 to support some of the
XP stuff, and to do so required unicows/UNICODE. Supposedly this was to
provide one of the elusive "magic bullets" {as if}.
"Magic bullets"? What do you mean? You mean for increasing
compatability with programs designed for XP? I'm assuming that's what
you mean. But it seems that many programs today that say they require XP,
do check for that on installation, and won't even let the installer proceed
on a Win9x system (or at least I've run across a couple like that, when I
tried them out).
Post by MEB
What was found was many
problems were associated with its general installation.. therefore programs
MIGHT install it for it's own use, but IIRC, it was not to be installed
otherwise.
That's kind of what I was remembering, too. (I can't remember where I
read about that, but I know I've read something similar to that before).
Post by MEB
I found I downloaded it several times since it was originally
released [checking the dozen or so 2000-2006 CDROMS of downloads I have,
its even on my hard drive again for some reason though not installed],
likely
Post by MEB
tested it, but have no permanent record which likely meant there was already
enough available on the NET. Seem to remember a convo or three over on
MSFN or somewhere...
Post by Bill in Co.
As for the so-called "security" issues, THAT is not an issue of concern for
me.
(In case you've forgotten, I haven't downloaded those so-called "security
updates" - as in, "thanks, but no thanks", but that's another, long, story)
Yeap, seems you've traveled there once or twice, or we have... most were
only for IE 6 and OE so unless you had them installed and used them, you
likely didn't need them anyway...
Post by Bill in Co.
Post by MEB
Post by Bill in Co.
Post by MEB
Oh, BTW, you did realize that the eEye ani vulnerability patch appears to
install the non-standard "ADD-IN" 98/ME Microsoft support for UNICODE into
the 98 system via unicows, didn't you? Best check the
vulnerabilities/flaws installed when using unicows...
A standard 98 system would have unicows dll in Media player; some Unicode
support in fonts, Word, registry, ... . And only if installed: Adobe
Reader, OE Quotefix, ...
Whereas, XP, 2000, and above [hence the increased NT vulnerability] have
full UNICODE base support built-in.
[more stuff cut]
--
MEB
http://peoplescounsel.orgfree.com/
BLOG - http://peoplescounsel.spaces.live.com/ Public Notice or the "real
world"
http://groups.google.com/group/the-peoples-law?hl=en - discussion group for
general aspects of Law verses the Peoples' of the world
"Most people, sometime in their lives, stumble across truth.
Most jump up, brush themselves off, and hurry on about their business as if
nothing had happen." Winston Churchill
Morpheus can offer you the two pills;
but only you can choose whether you take the red pill or the blue one.
_______________
98 Guy
2007-04-06 15:17:26 UTC
Permalink
Post by MEB
Oh, BTW, you did realize that the eEye ani vulnerability patch
appears to install the non-standard "ADD-IN" 98/ME Microsoft
support for UNICODE into the 98 system via unicows, didn't you?
Actually I have yet to install any .ani remedy, and I haven't looked
at (or installed) the eEye patch.
Post by MEB
A standard 98 system would have unicows dll in Media player;
some Unicode support in fonts, Word, registry, ... . And only
if installed: Adobe Reader, OE Quotefix, ...
Where are your unicow dlls located?
What registry entries do you have for unicow?
The ONLY reference to unicows.dll in my registry is this:

- an adobe 6 installer key
C:\Program Files\Adobe\Acrobat 6.0\Reader\unicows.dll

I seem to have a CA (Computer Associates) anti-virus package (AV81)
that I don't think I ever installed, and it has unicows.dll
((1.0.4018.0)) in 3 of it's directories. I also see it in \program
files\windows media player and \adobe\acrobat 6\reader, and \java\jre
1.5.0\bin. I also have it in c:\ (not sure why, but my root folder is
full of lots of junk).

I do not have unicows.dll in \windows\anything.
Lee
2007-04-07 05:47:58 UTC
Permalink
On Apr 4, 11:03 pm, 98 Guy <***@Guy.com> wrote:
<snip>
Post by 98 Guy
Yes, I saw that (loadiconw) and I think there was also LoadIconA.
Now carry it further and right click on it to launch a search of msdn
network for the phrase and then enter LoadAniIcon manually at that
site for the same search. I had thousands of hits for the first
search and zero for the second, I doubt your search will be any
different. THUS I'm confident that LoadAniIcon is so much bull as is
LoadImage or many other function name suggestions. Especially when
the description for LoadIcon matches exactly the process that the
exploit is using.

<snip>
Post by 98 Guy
(PS: where in the registry are riff files handled?)
You should know that this is an improper question as MS FAT file
system uses extensions to denote file types and riff is NOT an
extension. Just because you normally don't see the .ico extenstion
doesn't mean that it is not there. File types that also cause this
kind of trouble are .lnk and .pif files.

But riff.ico:
[HKEY_CLASSES_ROOT\.ico]
@="icofile"
"Content Type"="image/x-icon"

and "icofile" file type leads to:
[HKEY_CLASSES_ROOT\icofile\DefaultIcon]
@="%1"
which leads to the exact same operation as .ani file types and that
would be the self extraction of the image within the file itself for
thumbnail display.

<snip>
Post by 98 Guy
Wow, this ANI thing could turn out to be real nasty...
I'm not so worried because there are people on our side (98's) that
are out there building updates for these zero day problems. I didn't
know what to expect when my first zert test showed that I was not
vunerable, but then I learn that update 891711 imparts at least some
partial immunity (perhaps only as far as the zert test goes though).
Then there is an unofficial 891711 patch (http://www.msfn.org/board/)
that is purported to totally make us immune but I have not applied it
or tested that aspect yet either. Your disclosure of testing
materials is most appreaciated provided I survive the testing - TIA.
And if no-one ever hears of me again you can blame or thank 98 Guy.
PCR
2007-04-06 23:55:06 UTC
Permalink
"98 Guy" <***@Guy.com> wrote in message news:***@Guy.com...
| PCR wrote:
|
| > | What I'm not clear on is if Win-9x has any built-in associations
| > | for these ANI files. I've searched my system and can't find
| > | any .ani files (should I?).
| >
| > Maybe. Most of mine are in the Desktop Themes & are animated
| > cursor icons...
|
| Ok, yes I do have them. 96 to be exact, located in

Very good, then, glad you have found them.

| - c:\windows\setup
| - c:\windows\setup\resource kit\apps\imagine_le\qp\animate
| - c:\windows\cursors (3 ani files)
| - c:\program files\Plus!\themes
| - 5 more located in \adaptec, \IEAK, a few others
|
| All of them are being rendered with their own individual (but static)
| thumbnail except for the ones in \resource kit\ (those are shown with
| the standard windows thumbnail for unknown file type). Those in
| particular do not start with "RIFF" but all others do.

I don't have the Resource Kit & cannot check. The .ani I have all seem
to have the RIFF reference inside, as shown in Notepad.

| My system is calling these "ACDSee ANI Image" files and ACDSee is
| launched when these files are double-clicked (and they are animated
| when viewed by ACDSee).

ACDSee probably shows up as associated with .ani, then, in Folder
Options, File Types tab. So, when you click an .ani, ACDSee will open &
display it. It doesn't prevent other apps from opening & using them,
though.

| > BUT three of mine are outside the Desktop Themes folders, & two
| > of those are fairly old...
| >
| > C:\>DIR C:\WINDOWS\CURSORS\*.ani
| > GLOBE ANI 6,300 08-29-02 7:14a GLOBE.ANI
| > APPSTART ANI 8,274 04-23-99 10:22p APPSTART.ANI
| > HOURGLAS ANI 12,144 04-23-99 10:22p HOURGLAS.ANI
| > 3 file(s) 26,718 bytes
|
| Yes, I have the same 3 (and only those 3) in my \cursors\ directory.

That seems to be about right.

| > Nope-- there is no association for them on a stock machine.
| > And QuikView doesn't know how to run them, either, but will
| > only open them for reading. It's unreadable, though, except
| > for the first line, which also can be seen in Notepad...
|
| What thumbnail icon is your OS showing for those .ANI files, and how
| is it describing them in the file "Type" column?

Let me go look... They are not animated there. For Gobe.ani, I see a
computer in front of a globe. Appstart.ani is an arrow & hourglass.
Hourglas.ani is just an hourglass. They are all static there in Explorer
in Thumbnail view.

| > The icon will animate in the Properties box.
|
| Yes, I see that.

Uhuh. It's nice to watch.

| > | Windows .ANI LoadAniIcon Stack Overflow
| > | * [CVE-2007-1765]
| > | *
| > | * This issue is due to a stack overflow error within the
| > | * "LoadAniIcon()" [user32.dll] function when rendering cursors
| > |
| > | I've just looked at user32.dll with dependency walker and
| > | don't see a "LoadAniIcon" in the function list.
|
| I've just downloaded the win-2K fix from MS from here:
|
| http://tinyurl.com/27hgax

I remember taking a Win2K .dll-- BUT it was VGX.dll, as advised I
believe at...
http://secunia.com/advisories/21989/
I think that was about something else, though perhaps it was similar in
some way.

| And yes it is basically just an updated version of user32.dll.

That was something else-- which I tried & had to reverse! It was POISON
to my machine!

| But I DON'T see "LoadAniIcon" anywhere in the file, nor in the
| Dependancy Walker function list.
|
| So what's the deal here?

Can you post the URL that mentions "LoadAniIcon"? That function, I said,
is in NO .dll in this machine!
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
***@netzero.net
Franc Zabkar
2007-04-05 04:47:21 UTC
Permalink
Post by PCR
| Macro$haft issued a fix for this item back in 2005 (I think) but it
| only addressed half of the potential vulnerability (ie it was only a
| half-baked solution).
|
| What I'm not clear on is if Win-9x has any built-in associations for
| these ANI files. I've searched my system and can't find any .ani
| files (should I?).
Maybe. Most of mine are in the Desktop Themes & are animated cursor
icons...
<snip>
Post by PCR
BUT three of mine are outside the Desktop Themes folders, & two of those
are fairly old...
C:\>DIR C:\WINDOWS\CURSORS\*.ani
GLOBE ANI 6,300 08-29-02 7:14a GLOBE.ANI
APPSTART ANI 8,274 04-23-99 10:22p APPSTART.ANI
HOURGLAS ANI 12,144 04-23-99 10:22p HOURGLAS.ANI
FWIW, I haven't installed Desktop Themes but I still have the same
three .ani files.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.
PCR
2007-04-06 23:08:15 UTC
Permalink
"Franc Zabkar" <***@iinternode.on.net> wrote in message news:***@4ax.com...
| On Wed, 4 Apr 2007 18:26:48 -0400, "PCR" <***@netzero.net> put
| finger to keyboard and composed:
|
| >98 Guy wrote:
| >| Macro$haft issued a fix for this item back in 2005 (I think) but it
| >| only addressed half of the potential vulnerability (ie it was only
a
| >| half-baked solution).
| >|
| >| What I'm not clear on is if Win-9x has any built-in associations
for
| >| these ANI files. I've searched my system and can't find any .ani
| >| files (should I?).
| >
| >Maybe. Most of mine are in the Desktop Themes & are animated cursor
| >icons...
|
| <snip>
|
| >BUT three of mine are outside the Desktop Themes folders, & two of
those
| >are fairly old...
| >
| >C:\>DIR C:\WINDOWS\CURSORS\*.ani
|
| >GLOBE ANI 6,300 08-29-02 7:14a GLOBE.ANI
| >APPSTART ANI 8,274 04-23-99 10:22p APPSTART.ANI
| >HOURGLAS ANI 12,144 04-23-99 10:22p HOURGLAS.ANI
|
| FWIW, I haven't installed Desktop Themes but I still have the same
| three .ani files.

It certainly is a part of Win98, then-- at least SE, probably FE, &
possibly even back to Win95...

http://support.microsoft.com/kb/123334/en-us
Requirements for Animated Cursors

..., ALTHOUGH I can't really say for sure that article is speaking of
.ani files. Also, I believe those .ani are not all cursors. Globe.ani
may be the icon that spins in the IE tool button area (upper right).

But I see 98 Guy has found his .ani files-- very good!

| - Franc Zabkar
| --
| Please remove one 'i' from my address when replying by email.
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
***@netzero.net
Franc Zabkar
2007-04-05 04:47:21 UTC
Permalink
Post by 98 Guy
Macro$haft issued a fix for this item back in 2005 (I think) but it
only addressed half of the potential vulnerability (ie it was only a
half-baked solution).
What I'm not clear on is if Win-9x has any built-in associations for
these ANI files. I've searched my system and can't find any .ani
files (should I?).
Zert has a webpage containing a benign version of the ani exploit that
(warning - don't click on this link unless you are prepared to
re-start your system)
http://zert.isotf.org/tests/testani.htm
I've tried it from a few win-98 machines and they aren't affected by
the exploit (in other words, my win-98 systems don't crash).
I don't think win-98 has any built-in associations for .ANI files (and
I don't have any ani files on my system).
The webpage above contains xpsp2_2180.jpg and xpsp2_2622.jpg. They
appear (internally) to identify themselves as "RIFF" files (Resource
Interchange File Format). When submitted to Virus Total, those files
are identified as various forms of ANI exploits (viral, trojan, etc).
If an OS doesn't have any built-in association for .ani (or .riff?)
files, then I can't see how the exploit can work.
Keep in mind that MS has often (in the past) lumped Win-9x into lists
of OS's that were vulnerable to this or that exploit when in fact they
weren't.
Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
* A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack
* overflow error within the "LoadAniIcon()" [user32.dll] function
* when rendering cursors, animated cursors or icons with a
* malformed header, which could be exploited by remote attackers
* to execute arbitrary commands by tricking a user into visiting
* a malicious web page or viewing an email message containing a
* specially crafted ANI file.
I've just looked at user32.dll with dependency walker and don't see a
"LoadAniIcon" in the function list.
The web site claims that my machine is not vulnerable. My user32.dll
file has no reference to LoadAniIcon. Currently my .ani files are
associated with ACDSee. However, I don't know if there was a prior
association before installing ACDSee.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.
jt3
2007-04-05 22:19:51 UTC
Permalink
Post by Franc Zabkar
Post by 98 Guy
Macro$haft issued a fix for this item back in 2005 (I think) but it
only addressed half of the potential vulnerability (ie it was only a
half-baked solution).
What I'm not clear on is if Win-9x has any built-in associations for
these ANI files. I've searched my system and can't find any .ani
files (should I?).
Zert has a webpage containing a benign version of the ani exploit that
(warning - don't click on this link unless you are prepared to
re-start your system)
http://zert.isotf.org/tests/testani.htm
I've tried it from a few win-98 machines and they aren't affected by
the exploit (in other words, my win-98 systems don't crash).
I don't think win-98 has any built-in associations for .ANI files (and
I don't have any ani files on my system).
The webpage above contains xpsp2_2180.jpg and xpsp2_2622.jpg. They
appear (internally) to identify themselves as "RIFF" files (Resource
Interchange File Format). When submitted to Virus Total, those files
are identified as various forms of ANI exploits (viral, trojan, etc).
If an OS doesn't have any built-in association for .ani (or .riff?)
files, then I can't see how the exploit can work.
Keep in mind that MS has often (in the past) lumped Win-9x into lists
of OS's that were vulnerable to this or that exploit when in fact they
weren't.
Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
* A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack
* overflow error within the "LoadAniIcon()" [user32.dll] function
* when rendering cursors, animated cursors or icons with a
* malformed header, which could be exploited by remote attackers
* to execute arbitrary commands by tricking a user into visiting
* a malicious web page or viewing an email message containing a
* specially crafted ANI file.
I've just looked at user32.dll with dependency walker and don't see a
"LoadAniIcon" in the function list.
The web site claims that my machine is not vulnerable. My user32.dll
file has no reference to LoadAniIcon. Currently my .ani files are
associated with ACDSee. However, I don't know if there was a prior
association before installing ACDSee.
- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.
I'll add my 2 bits--I downloaded the Zert patch, which *says* on the
download page that it is for all Win, or at least includes 98se in the list
(although checking the 'Notes' page shows that they didn't test it on a
98(se) machine), but when I attempted to install it, it wouldn't do it, with
either installer, giving only the error message that 'there is a problem'
but no specifics. What it suggested to me is that the version of user32.dll
must be enough different to not include the patch site.

Joe
Continue reading on narkive:
Search results for 'Windows 9x and the ANI (animated cursor) vulnerability' (Questions and Answers)
7
replies
How can you get a virus by just going to a web site?
started 2007-04-29 13:48:00 UTC
security
Loading...