digg

Facebook Connect Join Digg About

Firefox also vulnerable to cursor flaw. Tries to fix on its own.

news.zdnet.com Open-source Firefox browser is vulnerable to attack using the Windows flaw.

Who dugg this? Made popular Apr 5, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

75 Comments

show profanity settings
expand all
  • xutopia, on 10/12/2007, -6/+57Firefox users on a platform other than Windows need not worry.
  • chrono13, on 10/12/2007, -7/+58"What do you mean "remain" vulnerable?"

    Not everyone patches. Not everyone can. Further, this patch broke things.

    "Microsoft had a patch out almost immediately"

    If you had read anything about this vulnerability, you would know that Microsoft has been sitting on it for 100 days. They said the patch was made within a week, and the rest of the time was spent testing it. A lie I find hard to swallow given that it ended in an emergency release and broke things.

    They let everyone stay vulnerable for all that time - because it affected Vista. If no one notices... or doesn't notice much, then Vista still looks secure. They can slip the patch in some other time in the future. Microsoft does not care at all about your data or your security.

    The fastest patch in Microsoft history, in comparison, was when their DRM was broken. They broke records to fix that one.
  • chrono13, on 10/12/2007, -5/+49Odd. The initial reports showed that this wasn't the case. Which is why this is news.

    I understand the severity of this exploit would warrant a separate fix from third parties (never use or trust Windows ini handling again), but if third party application developers lose the ability to trust Windows to run HTML (already the case) and ini (just now the case) as well as other such things, then how far to go in not trusting Windows? How much responsibility falls on third party developers to protect Windows Users from Windows problems?

    This sounds like a PR fix to me. It is a Windows flaw, with a Microsoft patch. But Mozilla can not let the users remain vulnerable, even if it is the absolute fault, and responsibility of the Microsoft and their OS.

    This is not the first time for third party application developers having to develop or include more direct handling of things that should otherwise be ok to pass to the operating system. Other operating systems are no exception, but Windows seems to be particularly untrustworthy.
  • swazooe, on 10/12/2007, -4/+30yes your friends WoW account was hacked by a cursor
  • cquinnd, on 10/12/2007, -3/+26chrono13

    I think you meant .ANI not .INI

    You find it hard to swallow that they were still testing the patch of the issue for release, and had to rush it out sooner than they expected because word of the flaw was leading to an increase in public exploits.

    Certainly it can be argued that they should have been faster at addressing a hotfix for the issue, but you cannot fault them for trying to better determine the overall scope of what the fix would affect, and what other vulnerabilities might also come to light during a following investigation.

    It affected more than Vista, in fact Vista was less vulnerable because of existing security provisions built into IE7, Windows Mail and Outlook (2007) to prevent a mal-formed .ani file from running arbitrarily. So in developing the patch they would have to take all the other versions of Windows that might be affected by this into consideration.

    That does not absolve Firefox of the need to check their own code against this and similar types of vulnerability, expecially as you said, the initial reports made it seem as if the browser was also protected against passing these files on to the OS.

    The DRM fix, in comparison, did not open the possibility of affecting other connected functions of the OS, and had a smaller development team available that were already dedicated to updating that specific part (and smaller subset) of the overall codebase. And I think the rate that Apple is able to fix exploits of iTunes DRM still hold the record as far as that kind of patching goes.
  • Netrilix, on 10/12/2007, -4/+23@7of7

    "Further, Firefox is less secure in Vista than IE7 because it lacks the sandbox that IE7 has."

    This is something I just plain don't understand. Unless I'm entirely mistaken, the "sandbox" type thing is build into the operating system. In this case, why does Windows allow Firefox to run completely free on the system? Regardless of how much we all love Firefox, why the heck would Microsoft allow Firefox (a third party app) to be trusted, while its OWN BROWSER is put into a sandbox? The only reason I can think of is in situations like this. Microsoft caused the problem with its vulnerability, but since it runs its browser in a sandbox, it doesn't get into the system. Because Firefox is NOT run in the sandbox, Microsoft can point fingers and say "See? IE is more secure!"
  • RKFS, on 10/12/2007, -2/+21So Mozilla is basically fixing a Microsoft problem? the title's just a bit misleading...
  • p0und, on 10/12/2007, -1/+17"If there are vulnerabilities in Firefox they are Mozilla's fault, not Microsoft's."

    Good thing that in this case the vulnerabilities are in Windows, so its Microsoft's fault.
  • diggapleaze, on 10/12/2007, -7/+227of7: "People need to stop blaming Microsoft for their own stupidity"

    Why should ANYONE absolve Microsoft of the blame? Do we need to remind you again that they sat on it for 100 days? I don't care what the reason is, you just don't do that to paying customers.

    No, 7of7, we should never stop blaming Microsoft for their own stupidity.
  • baalzebub, on 10/12/2007, -1/+15dont expect firefox to protect a vulnerable operating system, that would be like trying patch a broken leg with a band-aid...
  • Atomic1fire, on 10/12/2007, -0/+14its vulnerable because of the OS
    not because of the browser
  • inactive, on 10/12/2007, -6/+20Clearing a couple of issues up:

    1- IE7 by default runs in protected mode, files will still be visible but read-only. No harm other than possible data theft.
    2- Firefox is vulnurable since is it uses the same component to render cursors and has no such protected mode. (don't even think of sandbox, it's something totally different)
    3- Cursor handling should not be very deep in the OS. This is on the list of windows WTFs. Most probably it's a backwards-compatibility issue that made its way to Vista.
  • lowerlogic, on 10/12/2007, -1/+14Higherlogic? Is it really you? My long lost brother! Where have you been all these years?
    If it affects firefox on windows I'd think it'd affect opera and other browsers unless I'm missing something. Anyway, I need not worry as I use Ubuntu.
  • duhblow7, on 10/12/2007, -7/+19Don't respond to 7of7 or schoate09, as it is obvious they are both either trolls or 10 years old.
  • bbear, on 10/12/2007, -2/+12@ Netrilix

    Because Firefox devs chose not to support protected mode in Vista at this time. Why? Because parts of the browser needs to be rewriten to support it and that means work for the devs. As a result IE7 on Vista is more secure than Firefox on any Windows OS. Microsoft has no control over who decides to use protected mode or not and the API is available for anyone who wants to use it.
  • inactive, on 10/12/2007, -5/+13Why are you guys buring krayzie? He might have a point:


    "World Of Warcraft Gamers Targeted By Cursor Hackers"
    http://www.allheadlinenews.com/articles/7006959355
  • quickgold192, on 10/12/2007, -4/+12no one was blaming firefox - it was simply stated that firefox is, in fact, vulnerable. which is important to state beacuse a lot of people will asume that they are safe because they don't use ie
  • azAZ09, on 10/12/2007, -9/+17The title of this post, and the article, is written with a pro-microsoft and anti-firefox bias.
    "Open-source Firefox browser is vulnerable to attack using the Windows flaw" --Wrong. Windows is still responsible for the vulnerability, and the target is not the browser. Firefox has protected users from other microsoft flaws in the past, but in this case it hasn't. Blaming an open-source product from not protecting you from yourself ---c'mon microsoft.

    Digg should have two more options under bury ---FUD and propaganda. In this case I'll just use lame.
  • strabes, on 10/12/2007, -3/+10bury me please
  • netdroid9, on 10/12/2007, -1/+8@netrflix: You probably need to activate it in the software. A sandbox would mean no ability to modify files, registry, et cetera, right? So it'd make most programs useless if you had it on by default. EDIT: bbearbeat me to it :(.

    Also, saying not everybody patches is a bit of a cop-out. If you don't patch, then how can Microsoft fix your system without somehow patching without your knowledge (which'd be much worse privacy-wise)? That's not a very good point to include in your argument.

    Microsoft didn't sit on a patch for 100 days. They tested it. Anything that changes vital system files needs to be tested thoroughly, otherwise you could open up an even *worse* exploit.
  • ICSU, on 10/12/2007, -2/+9What a shame. Maybe he had to go out for a change? Imagine the horror.
  • inactive, on 10/12/2007, -0/+7Has Microsoft made available the necessary API's to make third party programs sand boxed like IE7 in Vista?
    Of course you could always use http://www.sandboxie.com/
    I am not sure how effective it would be at preventing such OS exploits though.
  • burty89, on 10/12/2007, -5/+117of7: Meet my block list. You should feel privileged, for only true idiots make the cut.
  • sadatoni, on 10/12/2007, -2/+7M$ did NOT have a patch out almost immediately. They knew of the flaw back in December.

    Microsoft defends 100-day ANI patch process http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015520

    AND the patched they released is buggy:

    Recent Microsoft patch causes problems with Realtek (Brief)
    http://tech.monstersandcritics.com/news/article_1287618.php/Recent_Microsoft_patch_causes_problems_with_Realtek__Brief_


  • loconet, on 10/12/2007, -2/+7Title is definitely misleading. It reads as if it is a bug in Firefox. It isn't. It is an issue with the Windows operating system. A bug which is exposed with any program that makes use of the animated cursor functionality such as IE7 in XP, Outlook, etc, etc.

    Saying Firefox is vulnerable is like one day having roads ridden with potholes and then coming out and saying .. "government buses tires are vulnerable to these potholes.... ut wait a second, so are BMWs. However, if you use our new buses which come with self-repairing tires, there shouldn't be a problem." Dammit, there is still a problem, fix the damn roads. It's not the tires that are vulnerable.
  • npsken, on 10/12/2007, -1/+5I tried installing the update (Windows Vista Home Premium) and it said the update does not apply to my system. Are there systems that don't need to be updated for some reason or another?
  • Agret, on 10/12/2007, -2/+6Probably because your Mac doesn't even use the same cursor format, let alone the same rendering code. Go die troll.
  • gutistg, on 10/12/2007, -0/+4Quit boasting, you bastard.
  • gutistg, on 10/12/2007, -1/+5Wrong button, sorry.
  • jcaino, on 10/12/2007, -6/+10man - i do NOT miss supporting windows or using windows.

    so very happy that all my machines at home run some form of *nix (and are kept up to date) and that my job has me on FreeBSD all day long.

    i couldn't feel luckier.
  • elnerdo, on 10/12/2007, -1/+4Not visiting website that will even try using the 'cursor flaw' for the win.
  • iamdanielj, on 10/12/2007, -1/+3I would expect that it had just been installed by your windows update, and it saw that you already had the update and chucked out that response.

    However that would just be a guess.
  • chrono13, on 10/12/2007, -2/+4"But that's REALTEK's problem for not following the Windows standards. If their software did, this wouldn't be an issue."

    You keep using that word, I don't think it means what you think it means.

    Windows Standard: What most others are doing (make your application require admin rights to run, write whereever in the registry, use both AppData and LocalAppData, use temp windowstemp usertemp or any other dozen temp locations (see CCleaner and WindowWasher for more locations), and of course, the non existent, free and concise development and API standards information from Microsoft. You know, the ones MS is trying to sell, the ones that the EU is suing them to get.

    Of all the platforms that could be standard, that has the ability, Windows would likely be the easiest to standardize. A small, simple guide on what to do where and how that could be titled something like "Microsoft's Standards and Best Practices for Windows Development".

    If I've missed this document, please provide a link and accept my apologies.
  • bmartin, on 10/12/2007, -0/+2"Microsoft is in a bad position because of their desire to be backwards compatible with their older os types."

    The POSIX standard has been around since 1988. They'd be compatible with just about every other OS if they followed this standard. I use a Windows XP system at work every day; I have to interface with Solaris servers for everything I do (compilation, FTP, etc). Having access to a terminal, scripting, etc. would make my life a lot easier.

    I applaud them for finally adding in User Access Control. For security purposes, it'd be ideal for them to build Windows around POSIX, and not a POSIX subsystem within Windows. It'd be better if they followed common POSIX conventions instead of mimicking them.

    I'm not saying they should be the next Linux or OS X -- far from it -- but POSIX would be a step in the right direction for them. The subsystem only exists in certain MS OS's, such as the premium editions of Vista.
  • whiteguysamurai, on 10/12/2007, -3/+5From my understanding, Microsoft has made an effort to show the Mozilla team in great detail how to use UAC, http://blog.vlad1.com/archives/2006/10/05/124/
    Why it hasn't yet been implemented is beyond me, perhaps it's harder then Microsoft makes it seem.
    I do hope it's eventually implemented, i think it's a great shortcut.
  • schoate09, on 10/12/2007, -4/+6But that's REALTEK's problem for not following the Windows standards. If their software did, this wouldn't be an issue.
  • inactive, on 10/12/2007, -0/+2If they're going to implement UAC, I'd imagine it would be in Firefox 3.0, since they seem to save things like that for major releases.
  • ruhaanlp, on 10/12/2007, -2/+3it isnt Mozilla's fault in this case because there is a problem with Windows not Firefox

    this is the reason i use Linux as my fulltime OS it is so much secure and safe
  • cquinnd, on 10/12/2007, -0/+1 bmartin, let me try to give you a closer example:

    1. Program X (trying to run the old windows way at administrator level) requests access to data or system resources that might give it the ability to compromise the system
    2. Vista says "whoa there, I better ask the user if they're OK with this" - invokes UAC
    3. User controls whether the action is performed or not

    4. Program Y (expecting to run as standard user) requests access to data or system resources that the program needs to manage what the user has already specified for it to do.
    5. Vista says "the program is running in a more secure mode, and it is not attempting to access additional resources outside that context" - and allows the program to run without additional prompts.
    6. The user goes on with their business, or can choose to run the program at a higher user level in case it does turn out to need access to some system resources to run at its best.
  • immrlizard, on 10/12/2007, -0/+1@ chrono13

    Microsoft has been publishing those specs since the 80s. The trouble is that the people who write programs don't always follow these guidelines. This is what causes these problems. One additional thing is that Microsoft changes how these things hook sometimes and the people who write these apps don't always get the new versions out before the change happens or the end users don't always install them. Microsoft is in a bad position because of their desire to be backwards compatible with their older os types. Once they put a turd out there it doesn't matter how much you polish it, it is still a turd. If they wrote a completely new os and just said that this is the way it is going to be and this, this, and this wont work any more then it would be much more secure but people would be upset because they would have to upgrade their os. As it is right now, there is nothing forcing anyone to upgrade to vista.
  • inactive, on 10/12/2007, -3/+4 Firefox users who have applied Microsoft's patch for Windows are no longer vulnerable.
  • bmartin, on 10/12/2007, -0/+1I don't understand Windows. Why would UAC be implemented at the application level? Think about it: what are the security implications of implementing it at the application level instead of the OS itself?

    I'm not familiar with UAC. I haven't been in close proximity of a Vista PC yet, so please excuse my ignorance. You'd think that the way it would work is as follows:
    1. Program X requests access to something that might compromise the system
    2. Vista says "whoa there, I better ask the user if they're OK with this"
    3. User controls whether the action is performed or not

    Why would you leave it up to the application to make sure this procedure is enforced? Neither Mozilla nor any other 3rd party developing software for Windows should need to know about UAC.
  • nephilimx, on 10/12/2007, -0/+1Not really, most of the unlegit people proberly dont have the update due to them turning automatic updates off, and since they are tech minded, they proberly use firefox
  • npsken, on 10/12/2007, -0/+1Good point. I have it set to automatically install critical updates.
  • Misfitpierce, on 10/12/2007, -1/+1 Well they patched the mouse security vulnerability so this is no more anyways.

    Ex: As expected, Microsoft has released security update MS07-017, which patches a critical vulnerability in Windows Animated Cursor Handling. The company says it was working on the fix since December, and has posted it early due to reports of attacks.
  • amfr, on 10/12/2007, -2/+2@whiteguysamurai:
    UAC is a shortcut? I thought clicking extra buttons made things take longer...maybe its just me.
  • JorgeGT, on 10/12/2007, -2/+2Wanna play Battlefield tonight?
  • linuxeventually, on 10/12/2007, -1/+1You lost me at "uber kewl"
  • mancat, on 10/12/2007, -1/+1By attempting to prevent whatever behavior causes the user to be presented with the opportunity to load an animated cursor. You have to understand, the vulnerability doesn't come into play unless you load an intentionally malformed cursor file. How does the cursor typically get loaded for this attack? When a malicious web site does something to cause the browser to prompt the user to "open this file."
  • makakoloco, on 10/12/2007, -1/+0Dude according to this http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html IE7 Protected Mode uses windows integrity levels(that's new in Vista).
    With this you have FF uber kewl protected mode
    C:Program FilesMozilla Firefox>icacls firefox.exe /setintegritylevel low
    J:config>icacls firefox-profile /setintegritylevel (OI)(CI)low
  • Fetching more discussions...
    Show 51 - 75 of 75 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.