Firefox ANI exploit on the way - no protected mode

Firefox ANI exploit on the way - no protected mode

Summary: Determina is previewing a version of the ANI exploit that will hijack Mozilla Firefox 2 as well as Internet Explorer 7 running on Vista (with default DEP settings mostly turned off). DEP could have stopped this exploit from running, but it's turned off for most applications in Windows by default.

SHARE:
TOPICS: Malware
178

Determina is previewing a version of the ANI exploit that will hijack Mozilla Firefox 2 as well as Internet Explorer 7 running on Vista (with default DEP settings mostly turned off). DEP could have stopped this exploit from running, but it's turned off for most applications in Windows by default. At this time, Alexander Sotirov (chief reverse engineer at Determina) has said that the proof-of-concept exploit code won't be released until there is a patch available in Firefox.

What's interesting about this is the fact that Firefox doesn't have the benefit of Protected Mode under Vista, which can somewhat mitigate the damage that can be done if Internet Explorer 7 is exploited by this vulnerability. While UAC will prevent the exploit from infecting the system with a persistent backdoor or rootkit, nothing prevents damage to the user's data unless Protected Mode is implemented. If someone using Firefox gets exploited with this or any other vulnerability, that malicious code gets the same permissions as the user, which means it can read and write to all of that user's data. That means the exploit can steal personal data, delete personal data, or encrypt it for ransom. Internet Explorer, on the other hand, running in Protected Mode would "only" permit the malware to have read-only access to the user's files. While that's still very bad, it's not nearly as bad as full read and write permissions. With Protected Mode, the malware still gets to steal and copy all of your personal data, but it can't alter it, delete it, or encrypt it for ransom.

This leads me to question why Mozilla is dragging its feet in supporting Protected Mode. I have asked Mozilla PR and its developers many times if and when it intends to support Protected Mode, and I have yet to receive an answer. The closest I got was when a Mozilla developer admitted that they had had extensive discussions with Microsoft when they were invited to Redmond for some help supporting Firefox in Vista, but I couldn't get a commitment for Protected Mode.

This is unfortunate because Firefox alone in recent months has had more exploits than Windows XP and Vista combined and is in serious need of mitigation measures (not to mention better code auditing). For example, here's a batch of 11 critical vulnerabilities and here's a batch of nine critical vulnerabilities, and some of those exploits were zero-day with proof-of-concept code. If Mozilla ever wants Firefox to be taken seriously, it's going to need to do better auditing of its code and implement security measures that are available in the operating system. The Web browser is simply too large an exploit vector to ignore, and the sooner Mozilla implements Protected Mode the better.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

178 comments
Log in or register to join the discussion
  • Opera MAY be immune to this, I am checking atm

    If someone has Vista and metasploit, could they please try this exploit with Opera 9.1 / 9.2beta please.
    Scrat
    • Message has been deleted.

      Scrat
      • Above should say "Appears to be immune"

        ...
        Scrat
        • Mine says something else

          "you do not appear to be vulnerable to the ie ani cursor exploit"

          Same meaning, different wording.

          Opera is nice at times.
          nucrash
          • I meant that it should not be taken as 100% that...

            this vuln does not work in Opera. This test is but one way to check, there may be others.
            Scrat
        • According to the test on the ZERT website i'm immune useing ie7 why

          According to the test on the ZERT website i'm immune useing ie7 why my anti virus took care of it

          i clicked the link and my anti-virus picked it up and deleted it so it looks to me that it's a red haring and it will only hit computer with out of date anti-virus definitions

          so it go's back to end users keeping there software up to date and patched
          SO.CAL Guy
          • What the

            heck is a "red haring"?
            What the ...!
          • I suppose it's a variation on the

            British sport of hunting hares with dogs... maybe they pain the hares red? ]:)
            Linux User 147560
          • I guess there would be some "pain" in it (nt)

            nt
            mdsmedia
          • Bleeding edge bunnies

            Used to describe unintended software interactions that live down below the surface.
            Still Lynn
          • soviet-era

            recipe for hassenpfeffer (sp.?) ?
            maskimummu
      • Nice link!`

        you do not appear to be vulnerable to the ie ani cursor exploit
        for more information about the exploit and the patch visit: zert

        note: this test may not be effective against all known and vulnerable versions of user32.dll.
        if the test does not crash your browser, you may still be vulnerable.
        please check the microsoft advisory for a list of known affected software.

        ]:)
        Linux User 147560
        • Which is why I posted a followup to that message...

          ...to say that it should not be taken as 100% accurate.
          Scrat
          • Well I would say that in my case it is 100% accurate!

            ;) ]:)
            Linux User 147560
    • Well Scrat....

      I have finally converted to Opera full time. Good bye Firefox.

      It still has minor annoyances with some pages like Zdnet's header, and my local newspaper's menu (sometimes it shows up, sometimes not) but in general it works well.
      ju1ce
      • Well, I hope it serves you well, it has for me

        Opera is not perfect, but it does have its advantages.

        Enjoy!
        Scrat
  • And this "exploit" - Does it Affect Firefox Running in Linux

    ... or is this just a Window's thing?

    BTW - an interesting article comparing IE7 to Firefox on the CNet site (I assume that it's OK to put a link in, since you're all one company, more or less).

    http://reviews.cnet.com/4520-10442_7-6656808-1.html?tag=lnav

    Regards

    Stuart
    BanjoPaterson
    • Seriously, does it matter?

      I mean hacking Linux is like bragging that you hacked your neighbors coffee maker and changed the clock. No one really cares.
      No_Ax_to_Grind
      • Yes.

        It matters to me because the machines here are not Windozzzze!!!!
        bportlock
        • And we are sooooo happy for you

          but then I wonder why you even care about Windows if you don't use it...

          Are you alos this deeply concerned about OS X???
          No_Ax_to_Grind