Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan

Case Study: MS07-017

The animated cursor (ANI) vulnerability was discovered by Alexander Sotirov in late 2006 and patched by Microsoft with the MS07-017 critical update in April, 2007 . Apart from being a client-side vulnerability that was exposed through web-browsers and other mediums, the ANI vulnerability was one of the first notable security issues that affected Windows Vista. It was notable due to the simple fact that even though Microsoft had touted Windows Vista as being the most secure operating system to date, the exploits that were released for the ANI vulnerability were very reliable. These exploits were able to ignore or defeat the protections offered by mitigations such as GS, DEP, and even Vista's newest mitigation: ASLR.

To better understand how this was possible it is important to dive deeper into the details of the vulnerability itself. §3.1 gives a brief description of the ANI vulnerability and some of the techniques that were used to successfully exploit it. Following this description, §3.2 illustrates how exploitation properties, in combination with another class of properties, can be used to detect functions that may contain vulnerabilities similar to the ANI vulnerability. This is meant to help illustrate the perceived benefits of applying the concept of exploitation properties to aide in the process of identifying regions of code that may deserve additional scrutiny based on their perceived exploitability.