Mozilla to ship Firefox 'workaround' for .ANI exploit

Mozilla is considering a "workaround" to block the attack vector that puts Firefox users at risk of attacks exploiting the Windows animated cursor (.ani) vulnerability.

Mozilla is considering a "workaround" to block the attack vector that puts Firefox users at risk of attacks exploiting the Windows animated cursor (.ani) vulnerability.

Because Firefox uses the Windows API function that triggers the vulnerable code, the .ani vulnerability can be exploited through Firefox.  (See this Flash demo by Alexander Sotirov, the researcher who discovered the vulnerability).

However, there is no vulnerability for the Firefox developers to patch (once the MS07-017 patch is applied, the user is protected).  Still, Mozilla's VP of engineering Mike Schroepfer said the company is mulling a workaround to reduce the attack surface for Windows users.
 
"The ANI vulnerability is caused by a Windows error...it can be exploited through both Firefox and Internet Explorer," Schroepfer stressed.  

The workaround, which will amount to application hardening, will be fitted into a future Firefox security update.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All