Article

Remote Firefox JavaScript flaw claim disputed

Dennis Fisher

One of the hackers who claimed to have found a new remotely exploitable JavaScript vulnerability in the popular Firefox browser has now said that claim was a joke and that no such flaw exists.

Mischa Spiegelmock, one of two hackers who gave a presentation last weekend on Firefox flaws at a small security conference called ToorCon, has told security officials with the Mozilla Foundation that the vulnerability he discussed cannot be used to execute arbitrary code. Instead, the flaw can only be used to cause the browser to crash and consume large amounts of system resources.

In their presentation at the conference in San Diego, Spiegelmock and Andrew Wbeelsoi said they had discovered a previously unknown hole in Firefox's JavaScript implementation, which could allow a remote attacker to run code on a target machine. Window Snyder, who heads up Mozilla's security efforts, acknowledged at the time that there did seem to be a legitimate problem with the implementation. However, after looking at the code that the two hackers gave Mozilla, Snyder

    Requires Free Membership to View

posted a message on the Mozilla Developer Center site Monday saying that the problem is not as serious as Spiegelmock and Wbeelsoi claimed. Her post included a statement from Spiegelmock about the vulnerability and his presentation at ToorCon:

"The main purpose of our talk was to be humorous. As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has. I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code. I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not. I apologize to everyone involved, and I hope I have made everything as clear as possible."

In her post, Snyder acknowledged that the vulnerability the pair discussed can in fact be used to cause Firefox to crash, and said that Mozilla engineers are continuing to analyze it. The flaw was considered significant enough that both US-CERT and The SANS Institute's Internet Storm Center posted notices about it.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: