Firefox Flaw Demo Is Itself Flawed

One of the hackers who gave the demo says the main goal was to be humorous and has both apologized and retracted a bug claim.

Gregg Keizer, Contributor

October 3, 2006

2 Min Read

One of two hackers who demonstrated a vulnerability in Mozilla Corp.'s Firefox at a hacker conference on Saturday has retracted claims that the bug could be exploited to hijack computers running the browser. In fact, the hacker's demo may have been little more than a joke.

Mischa Spiegelmock and Andrew Wbeelsoi showed exploit code for a Firefox JavaScript vulnerability at the ToorCon hacker conference amid claims that they had nearly three dozen vulnerabilities they weren't going to disclose. Mozilla immediately began investigating.

Monday, however, Spiegelmock forwarded a message to Mozilla that was posted on the company's developer center.

"We mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution," wrote Spiegelmock. "However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

"I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities," he added.

"The main purpose of our talk was to be humorous. I apologize to everyone involved," Spiegelmock said.

Earlier Monday, Window Snyder, the new security chief of Mozilla, said her team had been unable to produce more than a browser crash with the exploit code. "Even though Mischa hasn't been able to achieve code execution, we still take this issue seriously," Snyder said in an accompanying message on the developer center site. "We will continue to investigate."

The investigation may hold up the update to Firefox 2.0 Release Candidate 2 (RC2). According to notes from a staff meeting posted online, a Friday release for RC2 has been scratched. Although RC2 has already been posted to Mozilla's FTP servers, it might be pulled to fix the JavaScript flaw and/or another bug in an overlooked dialog that remains in the code from previous test builds, said Mozilla.

Firefox 2.0 is nearly completion -- RC1 was launched last week -- and will compete with Microsoft's Internet Explorer 7 when it reaches final form.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights