Mozilla to ship Firefox 'workaround' for .ANI exploit

Mozilla to ship Firefox 'workaround' for .ANI exploit

Summary: Mozilla is considering a "workaround" to block the attack vector that puts Firefox users at risk of attacks exploiting the Windows animated cursor (.ani) vulnerability.

SHARE:
15

Mozilla is considering a "workaround" to block the attack vector that puts Firefox users at risk of attacks exploiting the Windows animated cursor (.ani) vulnerability.

Because Firefox uses the Windows API function that triggers the vulnerable code, the .ani vulnerability can be exploited through Firefox.  (See this Flash demo by Alexander Sotirov, the researcher who discovered the vulnerability).

However, there is no vulnerability for the Firefox developers to patch (once the MS07-017 patch is applied, the user is protected).  Still, Mozilla's VP of engineering Mike Schroepfer said the company is mulling a workaround to reduce the attack surface for Windows users.
 
"The ANI vulnerability is caused by a Windows error...it can be exploited through both Firefox and Internet Explorer," Schroepfer stressed.  

The workaround, which will amount to application hardening, will be fitted into a future Firefox security update.

Topics: Windows, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Why not just patch?

    What's the point? Why not just apply the patch, something you should do anyuway?
    Larry Seltzer
    • Agreed

      I thought the same thing when I read this. A "work around", if IE is patching the vulnerability why can't Mozilla. That strikes me as odd being I use Firefox and stress to people around me to use it as well. Hmph...weird.
      Brandon Dixon
      • Nothing to Patch

        Mozilla can't patch it because there's nothing to patch. Firefox is a victim of Microsoft's new security scheme. There's nothing wrong with Firefox itself. The problem is with Windows Vista/IE7/Microsoft Outlook/Microsoft Mail, because once again, despite the DOJ ruling, all their software is so intertwined as to be inseparable. Since Firefox is not a part of this lucrative melting pot of applications, the only thing they can do for now is raise a deflector shield.
        NWeber1
        • It's got nothing to do with MS's "new" security scheme

          This affects all versions of Windows, not just Vista.

          As such, no, Mozilla can't do anything about it and there is nothing to patch.

          If Mozilla chose not to use Windows API, like Opera, Firefox would not be vulnerable to this flaw, if what I read yesterday is true,but I might be wrong like the Opera users spouting yesterday.
          mdsmedia
          • Right, not NEW but OVERALL security scheme

            Right again, if you avoid using Windows API's you will be more secure.

            Isn't there something wrong about this?
            LittleGuy
          • Correction...

            Right again, if you avoid using Windows you will be more secure.
            Knorthern Knight
    • You don't depend on others to resolve your problem

      If Firefox did nothing and allowed Microsoft to patch the hole then Firefox would be vulnerable if Microsoft ever "unpatched" the hole. It is not unknown for patches to undo previous patches.

      Suppose Microsoft's patch fixed IE and not the .ani code?
      bportlock
      • You must depend on MS when it's not your problem!

        Firefox does not control the cursor animations for your Windows desktop - MS Windows does that. Firefox can block cursor data from a website, that's true, but that will break some web sites - like this one where the cursor is changed to a text bar when entering these fine forum posts. That may be their work around though.

        Basically, you don't seem to know enough about coding an app for a given GUI like the Windows GUI or the X Windows server. The application MUST rely on the GUI to display graphics (that why it's called a Graphical User INTERFACE. It is the interface for the application to display data and accept input from the user.

        It's is absolutely the GUI provider's responsibility to properly and securely code their software.

        In other words, Microsoft, alone, all by itself, with no one else to blame, OWNS this problem - NOT Mozilla.

        When you "bought" Windows, you purchased their GUI. It's MS that you should expect to fix it. Period.
        jacarter3
  • Firefox / Firebug critical vulnerability!! (<< for George, he loves 'em)

    Petko D. Petkov has discovered a critical vulnerability in Firefox where Firebug has been installed as an extension.

    A copy of the announcement on Bugtraq:

    [url=http://www.gnucitizen.org/blog/firebug-goes-evil]

    [b]Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug[/b]

    There is critical vulnerability in Firefox/Firebug which allows
    attackers to inject code inside the browser chrome. This can lead to a lot of problems. Theoretically everything is possible, from modifying the user file system to launching processes, installing ROOTKITs, you name it.

    I recommend to disable Firebug for now until the issue is fixed. The issues is a bit critical since Firebug is one of the most popular extensions for Firefox. Given the fact that a lot of the Firefox users are geeks, the chances to have Firebug installed in a random Firefox client are quite high.

    I wrote two POC to demonstrate the issue. You can find them from the page on the top of this message. The first POC runs calc.exe and cmd.exe on windows systems. The second POC does a count down from 10 to 0 and executes calc.exe to prove that automatic execution is possible.

    --
    pdp (architect) | petko d. petkov
    [url=http://www.gnucitizen.org]

    More trouble in paradise?
    Scrat
    • That vulnerability is fixed. Try again! :^0

      .
      From (1):

      [b][i]"...April 4th, 2007 by joe: About an hour ago I received word of a 0-day security exploit that has been discovered and reported. I have just released a new Firebug (version 1.03) with a fix for this bug, and I recommend that everyone install it as soon as possible..."[/i][/b]

      The vulnerability is already fixed.

      Maybe Microsoft could fix their problems faster if they spent less time dancing around on stage and more time writing code (2) :^0 .



      -------------------------

      (1) Firebug Development Blog
      http://www.getfirebug.com/blog/

      (2) A code development "war party" at Microsoft
      http://www.youtube.com/watch?v=KMU0tzLwhbE&mode=related&search=
      TechExec2
      • :) And that's the rest of the story.

        Well that is open source isn't it. Find a problem fix a problem.
        The threat might of been a day for the small audience using firebug as it isn't very useful for anything except degugging code.

        The original author is much like george and always grasping at straws.
        gotitright
  • Incorrect

    You apparently didn't read. It's not all versions of Windows, only XP SP2 - Vista. XP SP0 and SP1 are not affected. So it is the newer security model that is an issue.
    Spats30
    • appending

      Here's the article that tells which systems are vulnerable:

      http://blogs.zdnet.com/security/?p=141
      Spats30
    • You are totally incorrect.

      http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

      It goes back to Windows 2000 SP4. The MS bulletin also stated it could affect other systems that were not tested because those systems are beyond the life cycle. I believe it is a NT system with IE6 or greater on it as the common denominator.

      As for the newer security model, it is the UAC that catches it from complete automation. Think of it as a safety net but it still has to be patched. The older systems without UAC are the ones that get automatically hosed.
      osreinstall
    • SP0 and SP1 are no longer supported or tested

      Have you examined/tested SP0 and SP1 to see that they're not vulnerable? Or are you merely going by Microsoft's list of OSes which only lists SP2?

      Microsoft no longer supports SP0 or SP1, which means it doesn't even test whether they are vulnerable or not. So unless you've done your own testing, you can't say for sure.
      PB_z