"Even so, Mike Schroepfer, Mozilla's vice president of engineering, made it clear that the problem isn't with Firefox. "The ANI vulnerability is caused by a Windows error," Schroepfer said in an e-mail. "It can be exploited through both Firefox and Internet Explorer. Microsoft has issued a patch to fix Windows, and we encourage all Windows users to apply this update immediately.""

"Wednesday, the researcher credited with discovering the ANI bug, Alexander Sotirov at Determina, demonstrated an exploit that "

" in Microsoft's IE7 and Firefox 2.0. The latter, in fact, was less safe when running in Windows Vista, said Sotirov, because it lacks IE7's protected mode, a low-privilege setting that blocks most disk write access."

""We are investigating issuing a work-around within Firefox in an upcoming security release," Schroepfer said today."

"Although Schroepfer did not elaborate on what steps Mozilla might take, the company has talked about implementing a low-rights mode within Firefox to mimic the IE7 feature under Vista. Last year, for example, before the run-up to Vista's release, several Mozilla developers made a trek north to Microsoft's Redmond, Wash., headquarters and conferred with Vista engineers. Among the things they learned were ideas for ways to run Firefox in a low-privilege setting that would block malware from installing on a PC or altering existing system files."

"Since then, however, Mozilla has been quiet about the feature. The planning documents for the still-under-construction Firefox 3.0, for example, don't mention a low-rights or protected mode."

"Mozilla's first scheduled opportunity to harden Firefox against the ANI bug would be around May 15, the
... read the whole article