Mischa Spiegelmock, one of two hackers who gave a presentation last weekend on Firefox flaws at a small security conference called ToorCon, has told security officials with the Mozilla Foundation that the vulnerability he discussed cannot be used to execute arbitrary code. Instead, the flaw can only be used to cause the browser to crash and consume large amounts of system resources.
"The main purpose of our talk was to be humorous. As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has. I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code. I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not. I apologize to everyone involved, and I hope I have made everything as clear as possible."
In her post, Snyder acknowledged that the vulnerability the pair discussed can in fact be used to cause Firefox to crash, and said that Mozilla engineers are continuing to analyze it. The flaw was considered significant enough that both US-CERT and The SANS Institute's Internet Storm Center posted notices about it.