The Mozilla Foundation is looking at disabling support for the Windows animated cursor format as a workaround for the ANI vulnerability that has left Windows systems open to exploit and complete takeover for the past week.
Firefox users who use automatic update should get an update notification for the workaround. Users who have turned off update notification can use the “Check for Updates…” item on Firefox’s Help menu.
Microsoft posted a security bulletin with patches for the critical ANI flaw on Tuesday. Microsoft, along with Firefox and security researchers, has urged Windows users to patch immediately.
Mozilla Vice President of Engineering Mike Schroepfer told eWEEK that the workaround may come in the next scheduled security release of Firefox.
Firefox lacks a low-privilege mode similar to Microsoft Windows Vista’s Protected Mode—a condition that Determina security researcher Alexander Sotirov demonstrated can be used to overwrite files on an exploited system. Windows systems that lack the MS 07-017 patch and are running either Firefox or Internet Explorer in Protected Mode are susceptible to a remote attacker being able to access and read files on a victimized system, but Protected Mode does prevent file overwrite.
Still, anybody who was running anything but Vista was a sitting duck prepatch, and given that not many are as yet running Vista, that meant most Windows users.
Nevertheless, Schroepfer pointed out, Firefox users have been safer than IE users, given that the ANI flaw is harder to exploit. “On Firefox, [exploiting the vulnerability] takes quite a lot more work than on IE,” he said. “It’s not as obvious where the feature is used on Firefox.”
Firefox will likely still use animated cursors locally if users already have them on their systems, Schroepfer said. Mozilla will disallow loading the ANI files remotely, given that remote access is where the vulnerability lies and is how exploits have been succeeding.
Mozilla has in the past looked into a low-privilege mode, a la Protected Mode on Windows. But, Schroepfer said, it’s “fairly complicated” to program in that mode. Microsoft is the only application maker that includes it, he pointed out.
Still, “It’s something we’re interested in doing,” he said.
As always, Mozilla is focused on reducing the attack surface of Firefox in general, Schroepfer said. That includes not loading ActiveX, for example. The animated cursor vulnerability is a case in point: Mozilla will reduce the amount of Windows code used in Firefox in order to shrink its attack surface.
“We’re still focused on reducing attack service in general,” Schroepfer said.