News
News
4/5/2007
05:19 PM
Connect Directly
RSS
E-Mail
50%
50%

Firefox Also Vulnerable To .ANI Exploits

Mozilla warns the animated cursor handling bug that's plagued Microsoft's Internet Explorer could cause trouble for Firefox users as well.

Firefox users aren't immune to the .ANI exploits that have been plaguing Microsoft's Internet Explorer users the past week.

There had been some initial confusion as to whether the bug in Microsoft's Windows operating systems would affect Mozilla's open source Firefox browser. And now it appears it does, said Mike Schroepfer, VP of engineering for Mozilla.

"It turns out there is a path through which Firefox is executing that Windows code," said Schroepfer in an interview with InformationWeek. "It's in the way Firefox loads the animated cursors. It's a more obscure way for it to work."

Schroepfer said because Firefox handles the animated cursors less directly, it makes it more difficult for hackers to exploit the vulnerability to affect Firefox users. He added that he hasn't seen any .ANI exploits aimed at Mozilla's browser, but that doesn't mean they're not out there starting to circulate on the Internet.

Microsoft issued an emergency patch for the .ANI flaw on Tuesday. Users who install the patch should be protected from the exploits -- both on Internet Explorer and Firefox, according to Schroepfer.

To make sure this issue doesn't rear its ugly head again, he also said Mozilla engineers are looking into disabling the browser's ability to load Windows animated cursors from the Internet altogether. If the change is accepted, it would probably be adopted in the upcoming version update of Firefox.

"People wanting to load them legitimately would have to work around it, but we think their usage is rather small," said Schroepfer. "I can't confirm exactly what our fix is going to look like, but we'd like to find a way to avoid ever calling this code from within Windows and loading it from the network."

The .ANI vulnerability lies in the way Windows handles animated cursor files and could enable a hacker to remotely take control of an infected system. The bug affects all the recent Windows releases, including its new Vista operating system. Internet Explorer has been the main attack vector for the exploits.

Users are being infected after visiting a malicious Web page that has embedded malware designed to take advantage of the flaw. They also can be infected if they open an infected e-mail or attachment.

Even though Microsoft released a patch for the vulnerability, it will take some time for consumers and enterprises to install it, and some will take a lot more time than others, said Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, in an interview earlier this week. That, he noted, will give the hackers plenty of time to continue their assault.

Hackers haven't slowed their assault on the vulnerability, either.

Sophos, a security company, reported Wednesday morning that attackers launched a new spam campaign aimed at luring users to malicious Web sites where their unpatched systems can be infected with malware. And they're luring users to the malicious site with promises of nude pictures of pop star Britney Spears. Initially, the e-mails only contained text, but they've begun to contain an embedded image of a scantily clad Spears.

And in the 24 hours between Monday and Tuesday mornings, the .ANI exploits became the most detected piece of code coming out of Asia, said Craig Schmugar, a threat researcher with McAfee. Globally, it went from outside of the top 20 to the No. 6 position. He added in an interview that he "has no doubt" it will become the most utilized exploit around the world in a week or two.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.