Firefoxs Lack of Low Privilege Heightens ANI Patch Urgency

Updated: The security researcher who discovered the ANI vulnerability has pointed out that Firefox users who don't install the ANI patch are in danger of files being overwritten in an attack, given that the brow

Firefox users have a greater need than do users running IE in protected mode to install the patch for the animated cursor flaw that caused Microsoft to rush out a security bulletin on April 3, given that Firefox lacks a low-privilege mode.

Alexander Sotirov, the security researcher at Determina who first discovered the ANI flaw and reported it to Microsoft in December, has posted a video depicting successful ANI vulnerability exploits on both Internet Explorer 7 and Firefox 2.0 running on Vista in default mode.

/zimages/3/28571.gifClick here to read more about why the ANI vulnerability never should have happened.

In the video, Sotirov notes that turning on Protected Mode works to protect Vista running IE. Although the exploit gives an attacker access to all files on a system, Protected Mode prevents those files from being overwritten.

It turns out that Firefox uses the same vulnerable Windows component to process .ani files, Sotirov says in the video, "Which means it can be exploited in a way similar to Internet Explorer."

Sotirov demonstrates opening a URL exploit while running Firefox and successfully getting a command shell connection. The shell again gives access to all system files, along with the privileges of the currently logged-on user. But because Firefox has no low-privilege mode similar to IEs Protected Mode, an attacker can also overwrite system files as well.

This is only the most recent in a string of security concerns around Firefox. In the past months, a Firefox bug that could allow a malicious Web site to appear authentic was uncovered. Mozilla released updated versions to deal with that vulnerability in February.

Not that Firefox is less secure than IE; MS07-017 will patch the animated cursor vulnerability in both. Its just that Firefox users have no protection from a Protected-Mode style of low privilege setting. But as one reader pointed out, considering that Vista Protected Mode matters only if users have Vista, that makes sitting ducks out of just about everybody.

"For the vast majority, the only real answer is immediate testing and deployment of the MS patch," the reader said.

The Mozilla Foundation, which supports Firefox, said in a statement that the ANI vulnerability can be exploited through both Firefox and IE. Mozilla is encouraging all Windows users to apply Microsofts update immediately. The foundation also said that it is investigating issuing a workaround within Firefox in an upcoming security release.

Editors Note: This story was updated to correct the impression, given by the previous headline and first sentence, that Firefox is more vulnerable to ANI exploits than IE. The author regrets the misimpression.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.