Tuesday, October 3. 2006
FIrefox Flaw? Maybe...maybe not
There's been a lot of uproar over a presentation at Toorcon where a pair of "Security Researchers" (which is what they would be called if they used responsible disclosure) / "Hackers" (which is the term almost universally used in press accounts) claimed to have found a bug in Firefox which they used to build a botnet.
This understandably concerned the Mozilla team, and a member of the Mozilla security team joined the presentation. Turns out they were "joking". I'm not sure how the announcement of the creation of a botnet based on a non-existent security flaw constitutes a "joke" - and I'm a geek. I "get" some pretty esoteric jokes.
They wanted to tweak the "Firefox fanboys". Mischa later apologized:
Nevertheless, there apparently is a little bit of fire in all that smoke - a flaw in Firefox that can apparently be used for a Denial of service. Of course, I didn't say too much about the IE setslice vulnerability on Thursday because it, too, was a DoS bug - until Friday night, when suddenly a remote code execution exploit was released and caused enough havoc to prompt the ISC to go to yellow alert. So be aware, if I hear of this escalating to an exploit I'll post asap.
The most important thing - Mozilla immediately reacted, is concerned with finding the truth, not maintaining a corporate image, and is taking this very seriously.
JaBbA says: Open Source means more than just source code.
This understandably concerned the Mozilla team, and a member of the Mozilla security team joined the presentation. Turns out they were "joking". I'm not sure how the announcement of the creation of a botnet based on a non-existent security flaw constitutes a "joke" - and I'm a geek. I "get" some pretty esoteric jokes.
They wanted to tweak the "Firefox fanboys". Mischa later apologized:he main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.
I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.
I apologize to everyone involved, and I hope I have made everything as clear as possible.
Sincerely,
Mischa Spiegelmock
Nevertheless, there apparently is a little bit of fire in all that smoke - a flaw in Firefox that can apparently be used for a Denial of service. Of course, I didn't say too much about the IE setslice vulnerability on Thursday because it, too, was a DoS bug - until Friday night, when suddenly a remote code execution exploit was released and caused enough havoc to prompt the ISC to go to yellow alert. So be aware, if I hear of this escalating to an exploit I'll post asap.
The most important thing - Mozilla immediately reacted, is concerned with finding the truth, not maintaining a corporate image, and is taking this very seriously.
JaBbA says: Open Source means more than just source code.
Trackbacks
Trackback specific URI for this entry
No Trackbacks