The Truth About a Claimed Firefox Exploit

I'm sure most of you heard about the recent Firefox security issue. The one claiming Firefox is “critically flawed in the way it handles JavaScript” and that over 30 unreleased vulnerabilities exist. It turns out, the whole thing was a hoax. That's right, a ruse. From the Mozilla Developer Center:
We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:
The main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.
I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.
I apologize to everyone involved, and I hope I have made everything as clear as possible.

Somehow I don't think Window is laughing. While it's great to see that most of the info was fictitious (there is a legitimate flaw that can be used to crash the browser), in reality tangible damage has been done to the reputation of Firefox. Of course, now the rumors are swirling. Of the two people on stage at the time, one works at Six Apart (which owns LiveJournal) and the other recently claimed responsibility for a fairly high-profile Javascript attack against close to a million LiveJournal users. In addition, there's even a picture of him floating around eating with a bunch of Microsofties. As you can guess, the conspiracy theorists are having a field day. No word on what the fallout of this will be yet, but I'd guess there will be some. As for the real security track record of Firefox, well that's still being decided. My guess (as you may have presumed) is that while it will have problems, they won't be as consistently unpatched as IE ones have been.
, , , ,

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: