The Code Cave

Ok everyone loves to bash Vista. It’s the in thing. I get it. I run vista with the User Access Control (UAC) turned off. Once that is done, it is modern version of Windows XP with some nice features built in. Now some of these have been made available in a limited fashion in XP service packs, like this first example: the integration of the internet into the Open Dialog box.

This is one of my favorite Vista features.
I’ll demonstrate in this video:

OK this is a MAJOR shout out to Daniel Wischnewski for teaching me some new keyboard shortcut.

Did you know that the first ten (upper) programs in the Quick Launch area are accessible with the [Win]+[1] through [Win]+[0] key combos?

For example in my setup [Win]+[1] is ZTreeWin.  [Win]+[4] is the Vista Snipping Tool (C:\Windows\System32\SnippingTool.exe Try it!!!). [Win]+[0] is the DOS prompt.

Pretty cool Eh?

Do you know all of my icons? What do you keep on your quick lauch bar?

I’d already decided not to post about this, but then learned more.  There is no fix.  No work around. I’m vulnerable and at this point, I can’t do anything about it.  Even on Vista, just pre-viewing an HTML email in Outlook 2002+ means you are vulnerable.   An that’s not just OE but the REAL Outlook used is offices everywhere.  You can’t turn off Java Script, or Active X or anything.  You don’t even crash.  Your system is just pwned…

What does MS have to say?

Microsoft is investigating new public reports of attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker. [...] Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.  Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. - http://blogs.pcworld.com/staffblog/archives/003973.html

For Outlook, the only fix Microsoft has is “read all e-mail in plain text rather than HTML”.  I know Outlook REALLY well, but I don’t remember a setting that does that.  There’s no solution for Internet Explorer.  Basicaly any application, even ones that you might have written in Delphi that happen to have a TBrowser component in them that is allowed access to the outside world, is vulnerable.  So if you have any custom email programs you’ve written, watch out!

The basic avenue of attack  is to display a customized animated cursor.  Once you open that email or browse through that site,  they gain access to your computer.  There is no crash, it just instantly happens.  The code can then promote the Limited Access account you are using (because we all only use admin accounts when we need to… Yeah, right!) to an Adminstrator account, and then do whatever they please, from rootkits to personal webservers.  Oh! and of course don’t forget that an “animated” cursor can appear to be static. It can look exact your normal cursor. 

In the article “ Windows Zero-Day Flaw ‘Very Dangerous,’ Experts Say Bug affecting IE and Windows is potentially very damaging, and there’s no quick fix in sight. “, by Gregg Keizer of Computerworld, there are a couple of good quotes.

“This is a good exploit,” Roger Thompson, CTO of Exploit Prevention Labs

“According to Adrian Stone, an MSRC program manager, Outlook 2007 is invulnerable, as is Vista’s Windows Mail–as long as users don’t reply or forward the attacker’s messages. The SANS Institute’s testing, however, contradicted Microsoft; by SANS’ account, Outlook Express in Windows XP, Windows Mail in Vista, and Outlook 2003 in any version of Windows puts users at risk when they simply preview a malicious message. They don’t have to actually open the message to be in danger of an infection.”

“Worse, we know there are vulnerabilities that can be exploited in Vista to escalate privileges,” said Brown. “All you need is access to the system, which this [animated cursor] provides.” Once inside, said Brown, the attacker could up rights from even a safer local user to administrator privileges. “Then, all bets are off.”

UPDATE:

 It seems that eEye Digital Security is taking advantage of the situation and has release a patch if you have their 1 year free personal addtion intrusion software:

Patch Location: Download Now!
Patch Version: 1.0
Patch Source Code: View

The patch prevents the loading of any non local ani files.  Well, my intrusion software is somewhat out of date anyway.  I’ll give it a try.  I’ll let you know if this is another “Scare you till you upgrade” program that is hard to remove.

UPDATE #2: eEye Digital Security is incredible.  At first glance, it seems to be professional and high-level.  I think it is actually meant to protect your system and not scare your Aunt Martha into buying more and more additions to it.  I’m impressed.  I’m also sad to say that for the second time since 1985ish when I first got a PC clone (a Compaq Portable Plus with Compaq Dos 2.12 and 10mb HD, if you must know), I actually had a virus detected on any disk or computer in my home.  It was one just reported in the wild for the first time at the end of Feb.  So my current antivirus software, somewhat out of date, hadn’t picked up on it.  Still I guess 2 viruse detections out of all of the stuff I’ve done and all the disks I’ve used and stuff I’ve downloaded, is a pretty good safety record for 2.2 decades.

ooohhh, I just love this… It’s funny, but won’t be for anyone uninstalling Delphi 7 in order to install Delphi 2007. 

 Just look at the description from one of the linked articles:

After you remove a program from your computer, you can no longer access the CD drive or the DVD drive successfully. The CD drive or the DVD drive does not appear. Or, you receive an error message when you try to access the drive. - http://support.microsoft.com/kb/314060/

Isn’t that just cool?  Uninstall a program from a Vista machine and boom: No CD Drive for you! 

Now, Microsoft is a bit vague, so I could be extrapulating too much information from the articles linked to from this topic.  In Microsoft’s language they only say “This update also includes fixes that are contained in update 929427. These fixes improve support in Windows Vista for the following applications: “  And then it lists a bunch of programs including CDs and multimedia apps and in the very middle is “Delphi 7 Professional”.   If anyone else can find more details on the exact issue, I’ll gladely update this article.

The patch is a bit of a mixed bag since installing the patch can produce problems:

Note After you install this update, a CD device or a DVD device may not work correctly. If you select the device in Device Manager and then view the properties for the device, you may receive the following error message:

The software for this device has been blocked from starting because it is known to have problems with Windows. Contact the hardware vendor for a new driver. (Code 48)

This problem occurs because a legacy application may install drivers that are incompatible with Windows Vista.

It is when you go digging into the issue through 314060  that you can see the symptoms of the problem Microsoft is dancing around:

In Microsoft Windows XP, after you remove a CD recording program or a DVD recording program, or after you remove a different program, you experience the following symptoms:

•	You cannot access the CD drive or the DVD drive by using My Computer.
•	One of the following error messages appears when you view the CD drive or the DVD drive in Device Manager:Error message 1 The device is not working properly because Windows cannot load the drivers required for this device (Code 31). Error message 2 A driver for this device was not required, and has been disabled (Code 32 or Code 31). Error message 3 Your registry might be corrupted. (Code 19)
•	You receive an “error code 39″ error message.
•	A message that resembles the following appears in the notification area: Windows successfully loaded the device driver for this hardware but cannot find the hardware device. (Code 41)

 Delphi 2007 must be in the very helpful ”or after you remove a different program” part.

 Anyway the fix is part of the March 2007 Vista update: http://support.microsoft.com/default.aspx/kb/932246

The Video:  (sorry for my 1 second long outlook popup inthe middle of it….)

Download Link 

The Chat: 

(more…)