Post Thu Apr 05, 2007 10:07 am

Firefox Still Sitting Duck for ANI Exploits

Firefox browsers are still vulnerable to attacks exploiting the animated cursor flaw that caused Microsoft to rush out a patch on April 3.

Alexander Sotirov, the security researcher at Determina who first discovered the ANI flaw and reported it to Microsoft in December, has posted a video depicting successful ANI vulnerability exploits on both Internet Explorer 7 and Firefox 2.0 running on Vista in default mode.

In the video, Sotirov notes that turning on Protected Mode works to protect Vista running IE. Although the exploit gives an attacker access to all files on a system, Protected Mode prevents those files from being overwritten.

It turns out that Firefox uses the same vulnerable Windows component to process .ani files, Sotirov says in the video, "Which means it can be exploited in a way similar to Internet Explorer."

Sotirov demonstrates opening a URL exploit while running Firefox and successfully getting a command shell connection. The shell again gives access to all system files, along with the privileges of the currently logged-on user. But because Firefox has no low-privilege mode similar to IE's Protected Mode, an attacker can also overwrite system files as well.

This is only the most recent in a string of security concerns around Firefox. In the past months, a Firefox bug that could allow a malicious Web site to appear authentic was uncovered. Mozilla released updated versions to deal with that vulnerability in February.

Not that Firefox is less secure than IE; MS07-017 will patch the animated cursor vulnerability in both. It's just that Firefox users have no protection from a Protected-Mode style of low privilege setting. But as one reader pointed out, considering that Vista Protected Mode matters only if users have Vista, that makes sitting ducks out of just about everybody.

"For the vast majority, the only real answer is immediate testing and deployment of the MS patch," the reader said.

The Mozilla Foundation, which supports Firefox, said in a statement that the ANI vulnerability can be exploited through both Firefox and IE. Mozilla is encouraging all Windows users to apply Microsoft's update immediately. The foundation also said that it is investigating issuing a workaround within Firefox in an upcoming security release.

For original story:,1895,2111290,00.asp