Mozilla flaws more joke than jeopardy
Firefox attack a 'stand up comedy routine'
However, the duo have not been able to actually get the vulnerability to result in control of a computer, Spiegelmock said in a statement posted to the Mozilla developer blog.
The presentation was intended mainly as a joke, Spiegelmock said in the statement, in which he apologised.
"The main purpose of our talk was to be humourous," the 19-year-old researcher said in the statement. "As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has."
Spiegelmock and his employer, blog developer and service provider Six Apart, backed off those statements on Monday.
"I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim," Spiegelmock said in the statement posted to Mozilla's blog late Monday night. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not."
According to a source familiar with the matter, Spiegelmock does not have any other information about vulnerabilities outside of the denial-of-service vulnerability included in the presentation. Moreover, the college student has disclosed all details about the flaws to the Mozilla Foundation. Neither Spiegelmock nor Wbeelsoi responded to emailed interview requests.
Six Apart downplayed the style of the presentation as a prank.
"Mischa is a young man - he meant the presentation in jest," said Jane Anderson, spokeswoman for Six Apart.