April 4, 2007 3:25 PM PDT

Mozilla mulls Windows cursor flaw fix of its own

Mozilla is looking at delivering its own remedy for a Windows flaw that could let attackers commandeer a PC running the Microsoft operating system software.

Microsoft broke with its monthly patch cycle Tuesday to fix the bug, which cybercrooks had been using since last week to attack Windows PCs. The flaw relates to the way Windows handles animated cursors and could let an attacker commandeer a PC when the user views a malicious Web site or e-mail message.

The vulnerability could be exploited through any Windows application that relies on the operating system to handle animated cursor files. This includes Mozilla's Firefox Web browser, which according to some security experts exposes Windows Vista users to greater risk than Internet Explorer 7 because the latest Microsoft browser has additional security features.

"The vulnerability is caused by a Windows error?it can be exploited through both Firefox and Internet Explorer," Mike Schroepfer, vice president of engineering at Mozilla, said in a statement. "We are investigating issuing a workaround within Firefox in an upcoming security release." Mozilla coordinates Firefox development.

The Firefox workaround could be welcome for those users who, for whatever reason, don't install Microsoft's fix. Some compatibility problems with the Microsoft update have been reported. "Microsoft has issued a patch to fix Windows and we encourage all Windows users to apply this update immediately," Schroepfer said.

Security experts at Determina, which reported the animated cursor flaw to Microsoft, have published a video that shows how a Vista PC can be compromised by exploiting the flaw and how Firefox users are at a higher risk than IE 7 users.

See more CNET content tagged:
Mozilla Corp., Firefox, Microsoft Internet Explorer 7, Microsoft Corp., security

6 comments

Join the conversation!
Add your comment
work around for Firefox users..
..use IE 7 for the time being.
Posted by FutureGuy (742 comments )
Reply Link Flag
did you *read* the article?
"The vulnerability is caused by a Windows error?it can be exploited through both Firefox and Internet Explorer,"

IE7 gives you *no* protection, because it's a *Windows* flaw. Mozilla is talking about intercepting the attack *before* it reaches Windows, to protect you proactively.

The *real* solution would be to use something other than Windows, silly person.
Posted by Solarion (11 comments )
Link Flag
exactly
firefox is a good browser, but it is basicaly a rip off of ie7, which is fine but when their execs start say things like "this was due to a windows flaw...bla bla bla"come on if you want to play in the browser market grow up and take responsibility for product you little boy!!
Posted by ITprosupport (30 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.