Alex had said that he was exploiting this bug on Firefox, even though the Firefox docs say it should be impossible. I'm just trying to understand how his claims are possible.
There's no reason to believe the Firefox developers need to do anything. IE, for example, is fixed when the ANI code in GDI is fixed. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -----Original Message----- From: Daniel Veditz [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 03, 2007 9:47 PM To: George Ou Cc: Larry Seltzer; 'Alexander Sotirov'; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow George Ou wrote: > The patch for ANI is out from Microsoft. I'm assuming the question is > if we will see this technique for Firefox exploitation posted now? Why? That would needlessly put Firefox users at risk -- not everyone will be able to apply the Windows patch immediately. Microsoft may have had since December to craft a patch, but the Firefox team hasn't. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/