Feeds

Mozilla flaws more joke than jeopardy

Firefox attack a 'stand up comedy routine'

Top three mobile application threats

Two presenters razzed developers of the open source Mozilla browser this weekend at the ToorCon hacking convention in San Diego with claims that the browser's Javascript implementation is flawed, but the lecture appears to have been more stand-up comedy routine than substantiative research.

The two researchers - college student and Six Apart developer Mischa Spiegelmock and hacker Andrew "Wbeelsoi" who also uses the handle "Weev" - appeared to demonstrate a remotely exploitable flaw in the Javascript implementation of the Mozilla Firefox browser during their Saturday presentation.

However, the duo have not been able to actually get the vulnerability to result in control of a computer, Spiegelmock said in a statement posted to the Mozilla developer blog.

The presentation was intended mainly as a joke, Spiegelmock said in the statement, in which he apologised.

"The main purpose of our talk was to be humourous," the 19-year-old researcher said in the statement. "As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has."

The presentation had gained some credence because an increasingly number of flaws have been found in the Javascript implementations of several browsers, including Firefox, with researchers warning that flaws in the technology could allow web worms the ability to gather information about a victim's network and to gain some access to a user's computer.

The humourous attack on Mozilla also came as software giant Microsoft scrambled to deal with its own zero-day attacks on its Internet Explorer browser and Windows operating system.

Spiegelmock's and Wbeelsoi's claims were widely mirrored by numerous blogs and news aggregators after a News.com article covered the presentation. The duo called Mozilla's implementation of Javascript a "complete mess" and "impossible to patch", according to the article. The hackers reportedly claimed to have 30 more Firefox vulnerabilities that he intended to keep to themselves to set up "communication networks for black hats".

Spiegelmock and his employer, blog developer and service provider Six Apart, backed off those statements on Monday.

"I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim," Spiegelmock said in the statement posted to Mozilla's blog late Monday night. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not."

According to a source familiar with the matter, Spiegelmock does not have any other information about vulnerabilities outside of the denial-of-service vulnerability included in the presentation. Moreover, the college student has disclosed all details about the flaws to the Mozilla Foundation. Neither Spiegelmock nor Wbeelsoi responded to emailed interview requests.

Six Apart downplayed the style of the presentation as a prank.

"Mischa is a young man - he meant the presentation in jest," said Jane Anderson, spokeswoman for Six Apart.

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.