Remote Firefox JavaScript flaw claim disputed

Hacker, Mozilla security official now say the flaw results in a DoS, not code execution.

One of the hackers who claimed to have found a new remotely exploitable JavaScript vulnerability in the popular Firefox browser has now said that claim was a joke and that no such flaw exists.

Mischa Spiegelmock, one of two hackers who gave a presentation last weekend on Firefox flaws at a small security conference called ToorCon, has told security officials with the Mozilla Foundation that the vulnerability he discussed cannot be used to execute arbitrary code. Instead, the flaw can only be used to cause the browser to crash and consume large amounts of system resources.

In their presentation at the conference in San Diego, Spiegelmock and Andrew Wbeelsoi said they had discovered a previously unknown hole in Firefox's JavaScript implementation, which could allow a remote attacker to run code on a target machine. Window Snyder, who heads up Mozilla's security efforts, acknowledged at the time that there did seem to be a legitimate problem with the implementation. However, after looking at the code that the two hackers gave Mozilla, Snyder posted a message on the Mozilla Developer Center site Monday saying that the problem is not as serious as Spiegelmock and Wbeelsoi claimed. Her post included a statement from Spiegelmock about the vulnerability and his presentation at ToorCon:

"The main purpose of our talk was to be humorous. As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has. I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code. I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not. I apologize to everyone involved, and I hope I have made everything as clear as possible."

In her post, Snyder acknowledged that the vulnerability the pair discussed can in fact be used to cause Firefox to crash, and said that Mozilla engineers are continuing to analyze it. The flaw was considered significant enough that both US-CERT and The SANS Institute's Internet Storm Center posted notices about it.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close