On CBSSports.com: Get this week's hotties in your inbox
BNET Business Network:
BNET
TechRepublic
ZDNet
65 TalkBacks

By Joris Evers
Posted on ZDNet News: Oct 3, 2006 8:59:00 PM

A hacker who claimed to have found a serious zero-day bug in Firefox now says he was never able to exploit the supposed vulnerability to hijack computers.

On Saturday, Mischa Spiegelmock and Andrew Wbeelsoi told attendees at the ToorCon event in San Diego that Firefox is critically flawed in the way it handles JavaScript. An attacker could commandeer a computer running the open-source Web browser simply by crafting a Web page that contains some malicious JavaScript code, they said. They displayed some of that code.

Hackers' presentation

But Spiegelmock has now backpedaled on those claims. In a statement provided to Mozilla, which coordinates development of Firefox, Spiegelmock said that the computer code displayed during the presentation does not fully compromise a PC running the browser.

"I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code," he wrote in the statement, which was posted on Mozilla's Web site on Monday.

"The main purpose of our talk was to be humorous," Spiegelmock wrote. "I apologize to everyone involved, and I hope I have made everything as clear as possible."

He pinned the claim that the hackers know of 30 yet-to-be-fixed flaws in Firefox entirely on his co-presenter, Wbeelsoi. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not," Spiegelmock wrote. Wbeelsoi could not immediately be reached for comment.

Click here to Play

Video: Hackers claim Firefox zero-day flaw
Is the browser more vulnerable than thought?

Click here to Play

Video: Hackers vs. Firefox
Mozilla antsy about expolited Firefox flaws.

The presentation at ToorCon caused a stir among Firefox developers. People worked through the weekend to investigate the issue, Window Snyder, Mozilla's security chief, said on Tuesday. Mozilla's bug-tracking Web site shows some evidence of that.

"At this point, Mischa is cooperating with us, and we're pleased that he has decided to work with us, but we're disappointed that so many people were spun up about this," she said. "It is an expensive operation in terms of resources and the individuals who lost time with their families over the weekend."

Based on the information Spiegelmock provided to Mozilla, the issue presented at ToorCon could still be a serious flaw, but so far, it looks like an innocuous crash, Snyder said. "We've got a potential issue, but at this point it is essentially a reliability issue. We have not been able to demonstrate code execution," she said.

In his statement, Spiegelmock wrote that the presentation included "a previously known Firefox vulnerability." Snyder, however, said that the potential issue is similar to an old bug, but is different.

"What they presented was a potential vulnerability," Snyder said. "Whenever you see a crash you want to investigate it completely, to evaluate whether or not there is any security impact. We have not exhausted all the options, so we're going to work on it...The right thing for Firefox users is to take it seriously and not dismiss anything."

Another security expert said the issue is nothing more than something that would cause Firefox to crash. "The test case from their slides is merely an out-of-memory crash bug and not a vulnerability," bug hunter Tom Ferris said. "Apparently, these guys just wanted to troll the media and the people at ToorCon."

Snyder couldn't say whether Mozilla would issue a patch to fix the reliability issue and potential vulnerability, or address it in a future release of the browser. "I can't say at this point, it requires further investigation," she said.

  • Talkback
  • Most Recent of 65 Talkback(s)
hackers have ALREADY taken control of redmond -
so you are already compromised by staying with m$!! (Read the rest)
Posted by: galileon Posted on: 10/06/06 You are currently: Logged In | Log out
Ah well, Fred Fredrickson   | 10/03/06
should still be quite interesting... Monkey_MCSE   | 10/03/06
ROFLMAO! Linux User 147560   | 10/03/06
No crow here boy Linux User 1   | 10/03/06
Message has been deleted. Linux User 1   | 10/03/06
you're truely pathetic.. Monkey_MCSE   | 10/03/06
Monkey_Mental is Linux Geek Linux User 1   | 10/03/06
this coming from the.. Monkey_MCSE   | 10/03/06
I'm just waiting for Shelendrea   | 10/04/06
All steak Linux User 1   | 10/03/06
Save a drumstick for No_Ax Chad_z   | 10/04/06
just M$ fud Linux Geek   | 10/03/06
Like you would know Linux User 1   | 10/03/06
Yup DarthRidiculous   | 10/04/06
Would that be the other name you sign on with Boot_Agnostic   | 10/04/06
Hey Spiegelmockery... techboy_z   | 10/03/06
How? Linux User 1   | 10/03/06
lol galileon   | 10/03/06
we don't need the band-aid afterall PeterWeter... galileon   | 10/03/06
IE is now more secure than FF Linux User 1   | 10/03/06
i ain't said nothing of the sort! and IE7 doesn't count, its beta software galileon   | 10/03/06
Don't waste your time... Linux User 147560   | 10/03/06
not in his case they don't Shelendrea   | 10/04/06
While this is true, it is also Linux User 147560   | 10/04/06
True Enough Shelendrea   | 10/04/06
Well, look at the bright side. They did need to review Java Script, and do DonnieBoy   | 10/03/06
Good Boot_Agnostic   | 10/04/06
Well folks this is the scent of victory , FF rules over IE . Intellihence   | 10/04/06
Of note is the fact that ZD hastened to promote Dr_T   | 10/04/06
Nope, this guy really exists. osreinstall   | 10/04/06
They look like they came from another planet ....nt Dr-T   | 10/04/06
Bet their parents say the same thing. osreinstall   | 10/05/06
Don't think you read teh same story that I did escoles@...   | 10/04/06
A news "report" on the "new exciting" 30 known unpatched vulns and a severe Dr-T   | 10/04/06
Apparently not Spoon Jabber   | 10/05/06
Is this the same guy who said he was with Jonbene Ransey? Reverend MacFellow   | 10/04/06
Haha! Spoon Jabber   | 10/05/06
Where is No_ax, Mike, etc .... Reverend MacFellow   | 10/04/06
Dont Expect Anything From No_Ax itanalyst   | 10/04/06
No need to worry . Intellihence   | 10/04/06
Well isn't this an interesting little tidbit? Shelendrea   | 10/04/06
No most people use IE TonyMcS   | 10/04/06
Can we say "Convicted Monopolist?" JackG058   | 10/04/06
The ignorant majority Greenknight_z   | 10/05/06
Nothing IE dependent? Fred Fredrickson   | 10/05/06
I can view IE pages in Firefox. clockmendergb@...   | 10/05/06
I think that the extension merely launches IE Spoon Jabber   | 10/05/06
Calm down all you politicians Boot_Agnostic   | 10/04/06
Perfect opportunity.. (for the hackers) thetruth_z   | 10/04/06
sorry.. wrong article.. thetruth_z   | 10/04/06
Another top notch advisor whoozhe@...   | 10/04/06
Here's your subpoena... John Zern   | 10/04/06
Bring back the Stockade! Spoon Jabber   | 10/05/06
Bring back the stocks. clockmendergb@...   | 10/05/06
That's what I meant, thanks ;) Spoon Jabber   | 10/05/06
Message has been deleted. tcavadias  ZDNet | 10/05/06
"Slow the system down and eat resources".... Sysop1984   | 10/04/06
Come on PeterWeter Monkey_MCSE   | 10/04/06
i miss Peter too... galileon   | 10/05/06
Where are all the MS IE mouths today? ITSa341@...   | 10/04/06
M$ was a platinum sponsor of toorcon. kraterz   | 10/04/06
what a tool SikosisZDNet   | 10/04/06
They're great! Spoon Jabber   | 10/05/06
firefox will take over your computer... nix_hed   | 10/05/06
hackers have ALREADY taken control of redmond - galileon   | 10/06/06

What do you think?

advertisement
advertisement
advertisement
Click Here