Mozilla to ship Firefox 'workaround' for .ANI exploit

Summary:Mozilla is considering a "workaround" to block the attack vector that puts Firefox users at risk of attacks exploiting the Windows animated cursor (.ani) vulnerability.

Mozilla is considering a "workaround" to block the attack vector that puts Firefox users at risk of attacks exploiting the Windows animated cursor (.ani) vulnerability.

Because Firefox uses the Windows API function that triggers the vulnerable code, the .ani vulnerability can be exploited through Firefox.  (See this Flash demo by Alexander Sotirov, the researcher who discovered the vulnerability).

However, there is no vulnerability for the Firefox developers to patch (once the MS07-017 patch is applied, the user is protected).  Still, Mozilla's VP of engineering Mike Schroepfer said the company is mulling a workaround to reduce the attack surface for Windows users.
 
"The ANI vulnerability is caused by a Windows error...it can be exploited through both Firefox and Internet Explorer," Schroepfer stressed.  

The workaround, which will amount to application hardening, will be fitted into a future Firefox security update.

Topics: Windows, Browser, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.