rakeshishere
HELP AND SUPPORT
Did your computer start to give you a DLL error after rebooting? Well, bad luck: it’s that pesky Windows Animated Cursor patch issued by Microsoft…
By now you are probably familiarized with the 3-months old bug discovered by security vendor Determina in December 2006 that refers to a boundary error within the handling of animated cursors. If you’re not, you should know that the flaw, also known as ANI exploit, can be, well… exploited to cause a stack-based buffer overflow via a specially crafted animated cursor file.
Successful exploitation could have allowed the execution of an arbitrary code when a user e.g. visits a malicious website using Internet Explorer or opens a malicious e-mail message.
The vulnerability first surfaced last week, when Microsoft acknowledged ongoing attacks. Most of the activity around the ANI exploit has been observed via malicious websites (around 100) that will attack the user if he visits the page with the most common versions of Internet Explorer (6 or 7), serving him/her with bogus Web-pages that take advantage of the bug.
Last weekend the amount of attacks using this exploit has intensified, forcing Microsoft to admit the existence of the bug and to speed up the patching process.
On April 4, Microsoft finally issued a software patch to fix the critical vulnerability that affected its Windows OS. It was only the third patch since January 2005 to be posted outside the normal monthly schedule. It also addressed six other vulnerabilities, three of them affecting Windows Vista.
However, immediately after the update was installed and the computer rebooted, Windows XP SP 2 users with an integrated Realtek HD Audio Control Panel (that includes me and three other computers in my office) were confronted with a DLL error, called RTHDCPL.EXE-Illegal System Relocation:
"The system DLL user32.dll was relocated in memory. The application will not
run properly. The relocation occured because the DLL C:WINDOWSsystem32HHCTRL.OCX occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL."
The rthdcpl.exe is located in the folder C:Windows. The file size on Windows XP is 13179660 bytes. There is an icon for this program on the taskbar next to the clock. It is not a Windows system file. The file is a Microsoft signed file. rthdcpl.exe is able to record inputs.
Microsoft became aware of it only after reports began emerging on the Web and immediately issued a fix located at this address.
However, users have complained that the fix does not always work and that it sometimes comes in conflict with the Windows Genuine Advantage Validation program, which hinders the downloading of the fix. Microsoft promises to update the aforementioned Knowledge Base article as soon as they have more details available from both users and their engineers.
SOURCE
By now you are probably familiarized with the 3-months old bug discovered by security vendor Determina in December 2006 that refers to a boundary error within the handling of animated cursors. If you’re not, you should know that the flaw, also known as ANI exploit, can be, well… exploited to cause a stack-based buffer overflow via a specially crafted animated cursor file.
Successful exploitation could have allowed the execution of an arbitrary code when a user e.g. visits a malicious website using Internet Explorer or opens a malicious e-mail message.
The vulnerability first surfaced last week, when Microsoft acknowledged ongoing attacks. Most of the activity around the ANI exploit has been observed via malicious websites (around 100) that will attack the user if he visits the page with the most common versions of Internet Explorer (6 or 7), serving him/her with bogus Web-pages that take advantage of the bug.
Last weekend the amount of attacks using this exploit has intensified, forcing Microsoft to admit the existence of the bug and to speed up the patching process.
On April 4, Microsoft finally issued a software patch to fix the critical vulnerability that affected its Windows OS. It was only the third patch since January 2005 to be posted outside the normal monthly schedule. It also addressed six other vulnerabilities, three of them affecting Windows Vista.
However, immediately after the update was installed and the computer rebooted, Windows XP SP 2 users with an integrated Realtek HD Audio Control Panel (that includes me and three other computers in my office) were confronted with a DLL error, called RTHDCPL.EXE-Illegal System Relocation:
"The system DLL user32.dll was relocated in memory. The application will not
run properly. The relocation occured because the DLL C:WINDOWSsystem32HHCTRL.OCX occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL."
The rthdcpl.exe is located in the folder C:Windows. The file size on Windows XP is 13179660 bytes. There is an icon for this program on the taskbar next to the clock. It is not a Windows system file. The file is a Microsoft signed file. rthdcpl.exe is able to record inputs.
Microsoft became aware of it only after reports began emerging on the Web and immediately issued a fix located at this address.
However, users have complained that the fix does not always work and that it sometimes comes in conflict with the Windows Genuine Advantage Validation program, which hinders the downloading of the fix. Microsoft promises to update the aforementioned Knowledge Base article as soon as they have more details available from both users and their engineers.
SOURCE
