14 DAY TRIAL // The recent critical vulnerability in Windows Animated Cursor Handling has brought the heat down on Mozilla. The reason for this is the fact that Firefox 2.0 can be used as an attack vector to exploit the .ANI file vulnerability in Windows Vista, just as much as Internet Explorer 7. Yesterday you have been able to watch a video demonstration of a successful .ANI exploit on Windows Vista via both Firefox and IE7 authored by Alexander Sotirov, the Determina security researcher that discovered the Windows Animated Cursor Handling vulnerability back in December 2006.
The video of the exploit indicates that there is a major difference between IE7 and Firefox 2.0 running on Windows Vista. Both the Microsoft and the open source browser access the same vulnerable Windows components to process the malformed .ani files, which makes them both valid attack vectors.
However, the major difference between the two browsers is Protect Mode. IE7 running in Protect Mode has very low privileges. In this context, although an attacker would be permitted access to system files, alteration would not be allowed. The same is not the case with Firefox 2.0. As a matter of fact, via Firefox 2.0, an attacker would share the privileges of the logged-on user. This is one instance where IE7 does a better job in protecting your machine than Firefox 2.0.
Mozilla promised to release an update that would address the Firefox issue in the upcoming security patch release. However, the point here is that Mozilla should implement a Protect Mode in Firefox similar to the one in IE7 that would work in conjunction with the User Account Control in Windows Vista.
Prior to the release of Windows Vista, Firefox developers were invited to Microsoft to touch up support details. No doubt discussions also covered Protect Mode for Firefox. But until this time, Mozilla has not hinted in the least that it plans to integrate Protect Mode into Firefox.