Tuesday, October 03, 2006

Firefox Zero-Day Vulnerability . . . Apparently Not

It was reported over the weekend in c|net News that two hackers claimed the Firefox Web browser is critically flawed in the way it handles JavaScript. According to the report in "Hackers claim zero-day flaw in Firefox":

"An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it."

As reported in by Robert Lemos for SecurityFocus in "Mozilla flaws more joke than jeopardy", Spiegelmock has apologized, indicating that the presentation was intended mainly as a joke:

"The main purpose of our talk was to be humorous," the 19-year-old researcher said in the statement. "As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has."

Although it is reported that there were those at the presentation who recognized it as an attempt at humor, it is refreshing to read the comment by recently hired Window Snyder at the Mozilla Developer Center:

"Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate."

No comments: