<fontfamily><param>Arial</param><bigger><bigger>Source:C|Net News.com<color><param>1615,6867,A9A8</param>
</color><bold>
A hacker who claimed to have found a serious zero-day bug in Firefox
now says he was never able to exploit the supposed vulnerability to
hijack computers.
</bold>On Saturday, Mischa Spiegelmock and Andrew Wbeelsoi told
attendees at the ToorCon event in San Diego that Firefox is critically
flawed in the way it handles JavaScript. An attacker could commandeer
a computer running the open-source Web browser simply by crafting a
Web page that contains some malicious JavaScript code, they said. They
displayed some of that code.
Hackers' presentation
But Spiegelmock has now backpedaled on those claims. In a statement
provided to Mozilla, which coordinates development of Firefox,
Spiegelmock said that the computer code displayed during the
presentation does not fully compromise a PC running the browser.
"I have not succeeded in making this code do anything more than cause
a crash and eat up system resources, and I certainly haven't used it
to take over anyone else's computer and execute arbitrary code," he
wrote in the statement, which was posted on Mozilla's Web site on
Monday.
"The main purpose of our talk was to be humorous," Spiegelmock wrote.
"I apologize to everyone involved, and I hope I have made everything
as clear as possible."
He pinned the claim that the hackers know of 30 yet-to-be-fixed flaws
in Firefox entirely on his co-presenter, Wbeelsoi. "I have no
undisclosed Firefox vulnerabilities. The person who was speaking with
me made this claim, and I honestly have no idea if he has them or
not," Spiegelmock wrote. Wbeelsoi could not immediately be reached for
comment.
The presentation at ToorCon caused a stir among Firefox developers.
People worked through the weekend to investigate the issue, Window
Snyder, Mozilla's security chief, said on Tuesday. Mozilla's
bug-tracking Web site shows some evidence of that.
"At this point, Mischa is cooperating with us, and we're pleased that
he has decided to work with us, but we're disappointed that so many
people were spun up about this," she said. "It is an expensive
operation in terms of resources and the individuals who lost time with
their families over the weekend."
Based on the information Spiegelmock provided to Mozilla, the issue
presented at ToorCon could still be a serious flaw, but so far, it
looks like an innocuous crash, Snyder said. "We've got a potential
issue, but at this point it is essentially a reliability issue. We
have not been able to demonstrate code execution," she said.
In his statement, Spiegelmock wrote that the presentation included "a
previously known Firefox vulnerability." Snyder, however, said that
the potential issue is similar to an old bug, but is different.
"What they presented was a potential vulnerability," Snyder said.
"Whenever you see a crash you want to investigate it completely, to
evaluate whether or not there is any security impact. We have not
exhausted all the options, so we're going to work on it...The right
thing for Firefox users is to take it seriously and not dismiss
anything."
Another security expert said the issue is nothing more than something
that would cause Firefox to crash. "The test case from their slides is
merely an out-of-memory crash bug and not a vulnerability," bug hunter
Tom Ferris said. "Apparently, these guys just wanted to troll the
media and the people at ToorCon."
Snyder couldn't say whether Mozilla would issue a patch to fix the
reliability issue and potential vulnerability, or address it in a
future release of the browser. "I can't say at this point, it requires
further investigation," she said.
</bigger></bigger></fontfamily>
No comments:
Post a Comment