Mozilla still looking into Firefox flaw claims |
 |
By Dennis Fisher, Executive Editor
09 Oct 2006 | SearchSecurity.com |
|
|
Despite claims by one of the researchers involved that the whole thing was a joke , security experts at Mozilla Corp. are continuing to investigate whether there is indeed a remotely-exploitable flaw in the Firefox browser.
Window Snyder, Mozilla's security chief, said she and others at the company have been unable to reproduce the remote code execution that Mischa Spiegelmock and Andrew Wbeelsoi claimed recently was possible using a new flaw in Firefox's JavaScript implementation. However, she emphasized that Mozilla still is taking the issue very seriously and intends to continue looking into the vulnerability until it's clear that there's no merit to the claim.
"It doesn't look like it's going to be a serious problem, but we're still investigating what can be done about it," Snyder said. "We're looking to see if there's anything to fix."
Mozilla has confirmed that there is a flaw in Firefox that can allow attackers to cause a denial-of-service condition by consuming a large amount of system resources. The problem, known as an "out-of-memory" condition, is not remotely exploitable and can not be used to run arbitrary code on target machines, as far as the Mozilla engineers can see at this point. The claims of code execution by Spiegelmock and Wbeelsoi, which they made at a security conference late last month, set off a mad scramble in the security community, as researchers and crackers pored over the pair's exploit code.
However, within a few hours of their presentation, Spiegelmock told Snyder that he had only been joking about the code execution potential in the flaw and also said he knew nothing about the 29 other Firefox vulnerabilities that Wbeelsoi claimed to have in reserve. Snyder said Mozilla is not concerned with those other flaws and added that despite the messy way it all played out, she is encouraged by the results of the investigation into the JavaScript vulnerability.
"I think it's a reflection of people doing the right thing and taking these reports seriously," said Snyder, who was instrumental in helping to establish Microsoft Corp.'s stance on responsible disclosure when she worked for the software giant. "A couple of individuals took advantage of that , and that's disappointing. But I'm happy that people are taking vulnerabilities seriously."
|
|
|
|
