Hackers flip flop on Mozilla JavaScript flaws

One of the two men who publicly disclosed a Mozilla Firefox JavaScript vulnerability over the weekend at a hacker conference now claims the bug does not allow for remote code execution.

Mischa Spiegelmock has apologized for causing an unjustified alarm, the open-source web browser's security chief said in a blog Monday night.

Spiegelmock, one of the two hackers who presented the flaw Saturday at the ToorCon conference in San Diego, also said he is not aware of 30 undisclosed Firefox vulnerabilities, which Spiegelmock's speaking partner, Andrew Wbeelsoi, said exist.

"The main purpose of our talk was to be humorous," Spiegelmock said in a statement, which was published Monday by Mozilla security chief, Window Snyder.

"…I have no undisclosed Firefox vulnerabilities," he said. "The person who was speaking with me made this claim, and I honestly have no idea if he has them or not. I apologize to everyone involved, and I hope I have made everything as clear as possible."

Meanwhile, the vulnerability the pair reported is caused by the way in which Firefox processes JavaScript, which could lead to a stack overflow "ending up in remote execution," he said. "However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know anyone who has."

So far, all the bug has done is cause a browser crash and consume system resources, he said.

Snyder told today that she was upset with Spiegelmock and Wbeelsoi for creating an unnecessary panic.

"We had engineers here on Sunday, trying to get this vulnerability (figured out)," she said. "To realize that it was spun up and people lost their weekends over somebody's idea of a joke, it's disappointing."

But she said she was pleased Spiegelmock came forward to clear the air. "Mischa realized what the impact (of his speech) was going to be, and he admitted that he had exaggerated. Still, we needed to investigate it and take it all seriously…to make sure our users aren't going to be at risk."

Snyder, in another blog posted Monday afternoon, said Mozilla security experts were able to exploit the flaw to launch a DoS attack but were not able to achieve remote code execution.

News of the JavaScript flaw and remarks that some 30 other bugs are affecting the alternative web browser came two weeks after security giant Symantec said Mozilla contained more vulnerabilities than Internet Explorer (IE) through the first six months of this year.

According to Symantec's twice-annual Internet Security Threat Report, Mozilla browsers contained 47 vulnerabilities, compared to 38 for IE. However, IE was the most frequently targeted browser, accounting for 47 percent of all attacks.

As more users abandon IE in favor of Firefox, hackers should continue to target the browser, said Chris Andrew, vice president of security technologies at PatchLink.

"We expect to see even more vulnerabilities identified in Firefox and other open-source tools as a result of hackers following consumer adoption trends," he said. "In late 2005, IE's usage dropped to around 85 percent, primarily due to consumers turning to Firefox to avoid computer worms, viruses, adware and spyware. Now with hackers targeting Firefox along with other alternative operating systems and applications, it will be critical for organizations to be able to rapidly and effectively remediate vulnerabilities across any platform."

Snyder said Mozilla typically will have more reported vulnerabilities - many of which pose little threat - because of its open-source nature.

Click here to email Dan Kaplan.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.