Quantcast
Subscribe to magazine

Mozilla Eyes Hardening Firefox Against ANI Exploits

Mozilla may toughen up its Firefox browser to better protect it against the Windows animated cursor file bug, the company's lead developer says.

Gregg Keizer, Computerworld

  • 0 Yes
  • 0 No

Mozilla may toughen up its Firefox browser to better protect it against the Windows animated cursor (ANI) file bug, the company's lead developer said today.

Even so, Mike Schroepfer, Mozilla's vice president of engineering, made it clear that the problem isn't with Firefox. "The ANI vulnerability is caused by a Windows error," Schroepfer said in an e-mail. "It can be exploited through both Firefox and Internet Explorer. Microsoft has issued a patch to fix Windows, and we encourage all Windows users to apply this update immediately."

In the meantime, PC World Associate Editor Erik Larkin tells you how to further protect Firefox from this critical Windows flaw.

Wednesday, the researcher credited with discovering the ANI bug, Alexander Sotirov at Determina, demonstrated an exploit that worked equally well in Microsoft's IE7 and Firefox 2.0. The latter, in fact, was less safe when running in Windows Vista, said Sotirov, because it lacks IE7's protected mode, a low-privilege setting that blocks most disk write access.

"We are investigating issuing a work-around within Firefox in an upcoming security release," Schroepfer said today.

Although Schroepfer did not elaborate on what steps Mozilla might take, the company has talked about implementing a low-rights mode within Firefox to mimic the IE7 feature under Vista. Last year, for example, before the run-up to Vista's release, several Mozilla developers made a trek north to Microsoft's Redmond, Wash., headquarters and conferred with Vista engineers. Among the things they learned were ideas for ways to run Firefox in a low-privilege setting that would block malware from installing on a PC or altering existing system files.

Since then, however, Mozilla has been quiet about the feature. The planning documents for the still-under-construction Firefox 3.0, for example, don't mention a low-rights or protected mode.

Mozilla's first scheduled opportunity to harden Firefox against the ANI bug would be around May 15, the tentative release date for Version 2.0.0.4, the browser's next security update.

Computerworld
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.

  • Recommend this story?
  • 0 Yes
    0 No

"Mozilla Eyes Hardening Firefox Against ANI Exploits" Comments

Print 65% more pages than with refilled inks. Trust Original HP Inks. Hit Print Reliably.

Featured APC Accessories For Your System
10% Off Entire Cart at Online Store

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 2007 Microsoft Office Suites Comparison This paper compares and contrasts four suites of the 2007 Microsoft Office system: Microsoft Office Standard 2007, Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007 and Microsoft Office Ultimate 2007. This paper is intended to help organizations understand the applications and capabilities offered, and to identify the suite that best fits their needs.
  • Windows Vista Migration: The Business Proposition It's not so much a matter of "if" but "when" for most organizations regarding migration to Windows Vista. Laying the groundwork now for this migration can yield higher ROI than waiting until later. This Computerworld Technology Briefing explains it all.

PC World's Marketplace