Title is definitely misleading. It reads as if it is a bug in Firefox. It isn't. It is an issue with the Windows operating system. A bug which is exposed with any program that makes use of the animated cursor functionality such as IE7 in XP, Outlook, etc, etc. Saying Firefox is vulnerable is like one day having roads ridden with potholes and then coming out and saying .. "government buses tires are vulnerable to these potholes.... ut wait a second, so are BMWs. However, if you use our new buses which come with self-repairing tires, there shouldn't be a problem." Dammit, there is still a problem, fix the damn roads. It's not the tires that are vulnerable.
By attempting to prevent whatever behavior causes the user to be presented with the opportunity to load an animated cursor. You have to understand, the vulnerability doesn't come into play unless you load an intentionally malformed cursor file. How does the cursor typically get loaded for this attack? When a malicious web site does something to cause the browser to prompt the user to "open this file."
Oh my god its all Microsofts fault because Mozilla is the good guy and Microsoft is the bad guy.So many of you have the mentality of Junior high kids when it comes to geek fanboyism. Security threats are a problem for everybody. They arent a Microsoft thing or a Mozilla thing. It's a problem for anyone who makes software. Jesus.
Well they patched the mouse security vulnerability so this is no more anyways.Ex: As expected, Microsoft has released security update MS07-017, which patches a critical vulnerability in Windows Animated Cursor Handling. The company says it was working on the fix since December, and has posted it early due to reports of attacks.
"Microsoft is in a bad position because of their desire to be backwards compatible with their older os types."The POSIX standard has been around since 1988. They'd be compatible with just about every other OS if they followed this standard. I use a Windows XP system at work every day; I have to interface with Solaris servers for everything I do (compilation, FTP, etc). Having access to a terminal, scripting, etc. would make my life a lot easier.I applaud them for finally adding in User Access Control. For security purposes, it'd be ideal for them to build Windows around POSIX, and not a POSIX subsystem within Windows. It'd be better if they followed common POSIX conventions instead of mimicking them.I'm not saying they should be the next Linux or OS X -- far from it -- but POSIX would be a step in the right direction for them. The subsystem only exists in certain MS OS's, such as the premium editions of Vista.
bmartin, let me try to give you a closer example:1. Program X (trying to run the old windows way at administrator level) requests access to data or system resources that might give it the ability to compromise the system2. Vista says "whoa there, I better ask the user if they're OK with this" - invokes UAC 3. User controls whether the action is performed or not4. Program Y (expecting to run as standard user) requests access to data or system resources that the program needs to manage what the user has already specified for it to do. 5. Vista says "the program is running in a more secure mode, and it is not attempting to access additional resources outside that context" - and allows the program to run without additional prompts. 6. The user goes on with their business, or can choose to run the program at a higher user level in case it does turn out to need access to some system resources to run at its best.
loconetApr 6, 2007
Title is definitely misleading. It reads as if it is a bug in Firefox. It isn't. It is an issue with the Windows operating system. A bug which is exposed with any program that makes use of the animated cursor functionality such as IE7 in XP, Outlook, etc, etc. Saying Firefox is vulnerable is like one day having roads ridden with potholes and then coming out and saying .. "government buses tires are vulnerable to these potholes.... ut wait a second, so are BMWs. However, if you use our new buses which come with self-repairing tires, there shouldn't be a problem." Dammit, there is still a problem, fix the damn roads. It's not the tires that are vulnerable.
aliarseApr 6, 2007
"I'm sorry, you got the irc meme wrong. it's supposed to be:/me bothered"Actually, the correct usage is : Does this face look bovvered?But, WuTeVa.
mancatApr 6, 2007
By attempting to prevent whatever behavior causes the user to be presented with the opportunity to load an animated cursor. You have to understand, the vulnerability doesn't come into play unless you load an intentionally malformed cursor file. How does the cursor typically get loaded for this attack? When a malicious web site does something to cause the browser to prompt the user to "open this file."
stockjonesApr 6, 2007
Oh my god its all Microsofts fault because Mozilla is the good guy and Microsoft is the bad guy.So many of you have the mentality of Junior high kids when it comes to geek fanboyism. Security threats are a problem for everybody. They arent a Microsoft thing or a Mozilla thing. It's a problem for anyone who makes software. Jesus.
misfitpierceApr 6, 2007
Well they patched the mouse security vulnerability so this is no more anyways.Ex: As expected, Microsoft has released security update MS07-017, which patches a critical vulnerability in Windows Animated Cursor Handling. The company says it was working on the fix since December, and has posted it early due to reports of attacks.
jorgegtApr 6, 2007
Wanna play Battlefield tonight?
bmartinApr 6, 2007
"Microsoft is in a bad position because of their desire to be backwards compatible with their older os types."The POSIX standard has been around since 1988. They'd be compatible with just about every other OS if they followed this standard. I use a Windows XP system at work every day; I have to interface with Solaris servers for everything I do (compilation, FTP, etc). Having access to a terminal, scripting, etc. would make my life a lot easier.I applaud them for finally adding in User Access Control. For security purposes, it'd be ideal for them to build Windows around POSIX, and not a POSIX subsystem within Windows. It'd be better if they followed common POSIX conventions instead of mimicking them.I'm not saying they should be the next Linux or OS X -- far from it -- but POSIX would be a step in the right direction for them. The subsystem only exists in certain MS OS's, such as the premium editions of Vista.
cquinndApr 6, 2007
bmartin, let me try to give you a closer example:1. Program X (trying to run the old windows way at administrator level) requests access to data or system resources that might give it the ability to compromise the system2. Vista says "whoa there, I better ask the user if they're OK with this" - invokes UAC 3. User controls whether the action is performed or not4. Program Y (expecting to run as standard user) requests access to data or system resources that the program needs to manage what the user has already specified for it to do. 5. Vista says "the program is running in a more secure mode, and it is not attempting to access additional resources outside that context" - and allows the program to run without additional prompts. 6. The user goes on with their business, or can choose to run the program at a higher user level in case it does turn out to need access to some system resources to run at its best.
npskenApr 6, 2007
Good point. I have it set to automatically install critical updates.