By Joris Evers
October 02, 2006
Mozilla is investigating claims that its Firefox browser is vulnerable
to a zero-day attack
The open source Firefox Web browser is critically flawed in the way it
An attacker could commandeer a computer running the browser simply by
Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon
hacker conference in San Diego. The flaw affects Firefox on Windows,
Apple's Mac OS X and Linux, they said.
"Internet Explorer, everybody knows, is not very secure. But Firefox is
also fairly insecure," said Spiegelmock, who in everyday life works at
blog company SixApart. He detailed the flaw, showing a slide that
displayed key parts of the attack code needed to exploit it.
10-year-old scripting language widely used on the Web. In particular,
various programming tricks can cause a stack overflow error, Spiegelmock
said. The implementation is a "complete mess," he said. "It is
impossible to patch."
Mozilla's security chief, said after watching a video of the
presentation Saturday night. "What they are describing might be a
variation on an old attack," she said. "We're going to do some
Snyder said she isn't happy with the disclosure and release of an
apparent exploit during the presentation. "It looks like they had enough
information in their slide for an attacker to reproduce it," she said.
"I think it is unfortunate because it puts users at risk, but that seems
to be their goal."
At the same time, the presentation probably gives Mozilla enough data to
fix the apparent flaw, Snyder said. However, because the possible flaw
addressing it might be tougher than the average patch, she added. "If it
fix," Snyder said.
The hackers claim they know of about 30 unpatched Firefox flaws. They
don't plan to disclose them, instead holding on to the bugs.
Jesse Ruderman, a Mozilla security staffer, attended the presentation
and was called up on the stage with the two hackers. He attempted to
persuade the presenters to responsibly disclose flaws via Mozilla's bug
bounty program instead of using them for malicious purposes such as
creating networks of hijacked PCs, called botnets.
"I do hope you guys change your minds and decide to report the holes to
us and take away $500 per vulnerability instead of using them for
botnets," Ruderman said.
The two hackers laughed off the comment. "It is a double-edged sword,
but what we're doing is really for the greater good of the Internet,
we're setting up communication networks for black hats," Wbeelsoi said.
Donate online for the Ron Santo Walk to Cure Diabetes!