Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (MS05-002)

The .ani file format is used for reading and storing Windows Animated Cursors (animated mouse pointer). A .ani file is a structured format ( Microsoft RIFF) that contains information about the animation (author, title, steps etc) followed by several frames stored in the icon format.

The vulnerability is caused due to insufficient format validation prior to rendering cursors, animated cursors, and icons. An additional vulnerability has been discovered in the way that the Windows kernel handles .ani files. The Windows kernel does not properly check the frame number and the rate number in the ANI file header. Setting this number to 0 will result in either kernel crash or resource consumption, resulting in a denial of service condition.

Using SmartView Tracker, users of VPN-1 NG with Application Intelligence R55W and InterSpect who have performed the Update outlined below, will be able to identify this attack by the following logging entries:

Attack Name: ANI Content Protection Violation
Attack Information: Malformed ANI File

Users of VPN-1 NG with Application Intelligence R55 will receive rule 99801 on the SmartView Tracker.
Rule 99801 - Malformed ANI file

Users of VPN-1 NG with Application Intelligence R54, R55, and InterSpect should update their SmartDefense by clicking the Update Now button on the SmartDefense SmartDashboard General window.

Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking the Online Update button on the SmartDefense SmartDashboard General window.

Please verify that you have downloaded the latest SmartDefense Update version:

2. Enforce policy on all modules.

Note: This protection is performance-intensive. Activating it may consume considerable system resources.