Firefox ANI exploit on the way - no protected mode

Determina is previewing a version of the ANI exploit that will hijack Mozilla Firefox 2 as well as Internet Explorer 7 running on Vista (with default DEP settings mostly turned off). DEP could have stopped this exploit from running, but it's turned off for most applications in Windows by default. At this time, Alexander Sotirov (chief reverse engineer at Determina) has said that the proof-of-concept exploit code won't be released until there is a patch available in Firefox.

What's interesting about this is the fact that Firefox doesn't have the benefit of Protected Mode under Vista, which can somewhat mitigate the damage that can be done if Internet Explorer 7 is exploited by this vulnerability. While UAC will prevent the exploit from infecting the system with a persistent backdoor or rootkit, nothing prevents damage to the user's data unless Protected Mode is implemented. If someone using Firefox gets exploited with this or any other vulnerability, that malicious code gets the same permissions as the user, which means it can read and write to all of that user's data. That means the exploit can steal personal data, delete personal data, or encrypt it for ransom. Internet Explorer, on the other hand, running in Protected Mode would "only" permit the malware to have read-only access to the user's files. While that's still very bad, it's not nearly as bad as full read and write permissions. With Protected Mode, the malware still gets to steal and copy all of your personal data, but it can't alter it, delete it, or encrypt it for ransom.

This leads me to question why Mozilla is dragging its feet in supporting Protected Mode. I have asked Mozilla PR and its developers many times if and when it intends to support Protected Mode, and I have yet to receive an answer. The closest I got was when a Mozilla developer admitted that they had had extensive discussions with Microsoft when they were invited to Redmond for some help supporting Firefox in Vista, but I couldn't get a commitment for Protected Mode.

This is unfortunate because Firefox alone in recent months has had more exploits than Windows XP and Vista combined and is in serious need of mitigation measures (not to mention better code auditing). For example, here's a batch of 11 critical vulnerabilities and here's a batch of nine critical vulnerabilities, and some of those exploits were zero-day with proof-of-concept code. If Mozilla ever wants Firefox to be taken seriously, it's going to need to do better auditing of its code and implement security measures that are available in the operating system. The Web browser is simply too large an exploit vector to ignore, and the sooner Mozilla implements Protected Mode the better.