posted on Friday, December 24, 2004 3:12 PM
by
demiliani
Christmas Vulnerabilities for Windows
A bad Christmas for Windows... some new vulnerabilites that affects all Windows systems are been discovered yesterday from a Chinese company, able to discover it but really stupid to publish the exploit on the net. Congratulation... 
However, one vulnerability, in the operating system's LoadImage function, could enable an attacker to compromise a victim's PC when the computer displays a specially crafted image placed on a Web site or in an e-mail. An other vulnerability, in the Windows Help program, likewise could affect any program that opens a Help file.
The other 2 exploits are explained on this SecurityFocus post and they involve the Microsoft Windows Kernel management of ANI (Windows Animated Cursor) files.
Parsing a specially crafted ANI file can cause the Windows Kernel to crash or stop to work properly. An attacker can crash or freeze a target system if he sends a specially crafted ANI file within an HTML page or within an Email. 
Seems that XP SP2 is not vulnerable to this, but must be well verified I think.
No words about the common action of publish on the net some exploit code. I don't know if the authors can imagine how dangerous could be actions like these. if you're so intelligent to discover flaws on a complex system like Windows, don't trash all your intelligence on actions that only a stupid can perform please...