This Alert is being issued to notify you of a potential threat involving the .ANI vulnerability patched by today's MS07-017 which could potentially reach a very large number of targets and potentially could cause serious impact for enterprises, including complete control of an affected system. The threat affects multiple Microsoft operating systems. It is highly recommended that Microsoft users review the information below and take mitigating steps to decrease the likelihood of an attack.

Perimeter Protection Controls

Perimeter has already deployed controls throughout its Gateway to further protect you from this exploit.  Some of the protective measures implemented are described below.

1. IDS Signature Tuning – Perimeter has tuned all internal and Internet facing IDS sensors to search for malicious code and content containing ANI files.
2. Mail Server Filtering – Filters have been added to the Perimeter mail servers to block all emails with ANI files before reaching your inbox.
3. Web Site Filtering – Known malicious web sites have been added to the web content filtering engine to protect against user HTTP infection from a malicious site. 
4. SMTP Anti-Virus – Perimeter has updated signatures on all SMTP anti-virus servers to include all know ANI exploits.
   

If you are not subscribed to all of the Perimeter services listed above please see the information below on customer actions that can be taken to protect your systems.

About the GDI Remote Code Execution Vulnerability

Systems Affected:

• Windows XP (All Versions)
• Windows 2000 (All Versions)
• Windows 2003 Server (All Versions)
• Windows Vista (All Versions)
  

Impact:  An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Threat Impact:   Currently low, but could escalate rapidly in the next several days to weeks.

Vulnerability Impact: Very High in average corporations; All Windows Platforms are vulnerable via one vector or another  

Cost Impact:  High - If an internal infection was to occur, reactive patching will be very difficult and clean-up would be arduous.


Vulnerability Description and Facts:
There are several newly discovered and publicly disclosed vulnerabilities that make up this threat. The individual vulnerabilities are listed below and can be read in more detail by clicking on the CVE link.

Vulnerability Identifiers	Impact of Vulnerability
GDI Local Elevation of Privilege Vulnerability - CVE-2006-5758	Elevation of Privilege
WMF Denial of Service Vulnerability CVE-2007-1211	Denial of Service
EMF Elevation of Privilege Vulnerability CVE-2007-1212	Elevation of Privilege
GDI Invalid Window Size Elevation of Privilege Vulnerability CVE-2006-5586	Elevation of Privilege
Windows Animated Cursor Remote Code Execution Vulnerability - CVE-2007-0038	Remote Code Execution
GDI Incorrect Parameter Local Elevation of Privilege Vulnerability - CVE-2007-1215	Elevation of Privilege
Font Rasterizer Vulnerability - CVE-2007-1213	Elevation of Privil

Customer Recommended Actions:  

Perimeter recommends that one or more of the effective mitigations (below) be deployed within three days depending on your environment.  Past trends have dictated that attackers prefer to use long holiday weekends like the upcoming Easter weekend to effectively deploy large seeding of attacks in the past.  

Effective mitigations for all risk scenarios include the following:

1. Convert inbound HTML-based email to plain text - very effective.

HTML, including HTML-based email, can include references to cursors (including animated cursors) to be displayed when either a page, or elements within a page, has a mouse above them. The referenced cursor need only be accessible for it to be rendered. Internet Explorer, and mail programs which rely upon IE or MS Web components for rendering, can render cursors on HTML content. Firefox, however, cannot.  Regardless of which browser you use, the issue is not the browser, but the mail agent. If the rendering of HTML in the mail agent employs IE for rendering, it is vulnerable.

2. Apply MS07-017 - very effective.

Microsoft has released a patch specific to each affected operating system listed above. The patch information can be found at the following link: http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

3. Disable Preview Pane in Outlook, and enable AutoPreview – significantly reduces likelihood of extensive enterprise impact.

Exploitation can occur within Outlook's Preview Pane. This is significant because while best practices recommended it be disabled (and AutoPreview enabled in its place), Microsoft has continued to make it part of the default configuration. Disabling Preview Pane does significantly reduce the possibility of a theoretical threat being exploited, but it does not prevent it. Perimeter understands, it is extremely difficult to enforce a no Preview Pane policy or verify it is being adhered to. At the very least, however, Perimeter would recommend that you advise your employees to ensure that their mouse is not left sitting over the Preview Pane when they are idle.