By Ryan Naraine
October 3, 2006
A public claim by hackers that Mozilla's Firefox browser is vulnerable
to multiple code execution vulnerabilities may be an overblown hoax.
On the heels of a ToorCon presentation where two security researchers
Mischa Spiegelmock and Andrew Wbeelsoi warned that Firefox's
takeover attacks, Mozilla's engineers say the risk is limited to a
Spiegelmock, a developer at Six Apart, a blog software company in San
Francisco, now says the ToorCon talk was meant "to be humorous" and
insists the code presented at the conference cannot result in code
Spiegelmock's strange about-face comes as Mozilla's security response
team is racing to piece together information from the ToorCon talk to
figure out how to fix the issue.
Mozilla security chief Window Snyder, who was an attendee at the
conference, said the company is treating the claims as real until it can
be verified otherwise but, as of Oct. 2, the open-source group could
only reproduce a denial-of-service issue that caused a browser crash.
"In some cases this causes a crash based on an out-of-memory error.
Based on the information we have at this time we have not been able to
confirm whether an attacker can achieve code execution. We're still
investigating," Snyder said.
A few hours later on Oct. 2, after discussions with Spiegelmock, Snyder
said the researcher provided more code along with a note explaining the
extent of the risk.
In Spiegelmock's note, posted to the Mozilla developer blog, the
researcher admitted the claims presented at ToorCon were a bit
"As part of our talk we mentioned that there was a previously known
Firefox vulnerability that could result in a stack overflow ending up in
remote code execution. However, the code we presented did not in fact do
this, and I personally have not gotten it to result in code execution,
nor do I know of anyone who has," Spiegelmock said.
"I have not succeeded in making this code do anything more than cause a
crash and eat up system resources, and I certainly haven't used it to
take over anyone else's computer and execute arbitrary code," he added.
On the claim that there are 30 undisclosed Firefox vulnerabilities,
Spiegelmock pinned that entirely on co-presenter Wbeelsoi. "I have no
undisclosed Firefox vulnerabilities. The person who was speaking with me
made this claim, and I honestly have no idea if he has them or not. I
apologize to everyone involved, and I hope I have made everything as
clear as possible," Spiegelmock added.
Wbeelsoi could not be reached for comment.
"Even though Mischa hasn't been able to achieve code execution, we still
take this issue seriously. We will continue to investigate," Mozilla's
Donate online for the Ron Santo Walk to Cure Diabetes!