Firefox security hole was "just a joke"

By em_te
in Back Page News

 Share

Recommended Posts

Veteran

em_te

Posted
Posted

http://developer.mozilla.org/devnews/index...ted-at-toorcon/

We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:
The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven?t used it to take over anyone else?s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn?t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder

Grand Master

zeroday

Posted
Posted

The allegedly critical hole reported yesterday in Firefox's JavaScript implementation has turned out, not surprisingly, to be a hoax. Mischa Spiegelmock, who made the claim at the Toorcon hacker conference, told Mozilla's security chief Window Snyder, "The main purpose of our talk was to be humorous."

While it is possible to create a stack overflow, the only result he has been able to produce is a browser crash. Neither he, nor anyone else, has managed to execute code via this hole. Spiegelmock claims to know nothing about the other 30 holes reported in the media. The Mozilla team nevertheless plans to look into the matter in order to detect and remedy any flaws.

Source

Moz Dev Centre Entry:

We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder

Moz Dev Entry

Veteran

halcyoncmdr

Posted
Posted

As it said:

While it is possible to create a stack overflow, the only result he has been able to produce is a browser crash. Neither he, nor anyone else, has managed to execute code via this hole.

So while they can reproduce the crash is beside the point, no code is able to be executed through this hole, yet :shiftyninja:

Mentor

someware

Posted
Posted

hmmm, whether or not there was a hole I don't think it really matters

It's just quite funny the effect the media has, not even the media, the internet!, the spread of word by individuals posting the same content from one forum to another. The untruthful content ends up on hundreds of sites... millions of people read it and believe it to be gospel.

There are probably thousands of people walking around today thinking their Firefox is insecure lol! :)

Then again only geeks use firefox and tbh the sensible people out there will be running virus scanners and firewalls.

When I saw the announcement of the '30 exploits' I thought ah well, they'll prolly fix it soon enough who cares :)

Grand Master

Malisk

Posted
Posted

Three of my major news sources, Slashdot, Ars, and bit-tech had reported this flaw, and now its fake? lol

Yes.

I've seen it before, and I think this is a kind of new problem with the fast travelling unverified news getting mirrored on news sites, major or not. Don't go believe e.g Slashdot has much of a quality control in place.

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted

Yes.

I've seen it before, and I think this is a kind of new problem with the fast travelling unverified news getting mirrored on news sites, major or not. Don't go believe e.g Slashdot has much of a quality control in place.

They reported the combined statement by Mozilla and these guys, Mozilla said it knew of the flaw they were talking about (the DoS one), and the "report" included what the guys said.

I would rather them report on it, than just ignore it (even if it turns out to be a non-issue)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.