[ISN] Firefox Zero-Day Code Execution Hoax?

From: InfoSec News (alerts@private)
Date: Tue Oct 03 2006 - 23:18:50 PDT


http://www.eweek.com/article2/0,1895,2023762,00.asp

By Ryan Naraine
October 3, 2006

A public claim by hackers that Mozilla's Firefox browser is vulnerable 
to multiple code execution vulnerabilities may be an overblown hoax.

On the heels of a ToorCon presentation where two security researchers 
Mischa Spiegelmock and Andrew Wbeelsoi warned that Firefox's 
implementation of JavaScript was badly flawed and could allow PC 
takeover attacks, Mozilla's engineers say the risk is limited to a 
denial-of-service issue.

Spiegelmock, a developer at Six Apart, a blog software company in San 
Francisco, now says the ToorCon talk was meant "to be humorous" and 
insists the code presented at the conference cannot result in code 
execution.

Spiegelmock's strange about-face comes as Mozilla's security response 
team is racing to piece together information from the ToorCon talk to 
figure out how to fix the issue.

Mozilla security chief Window Snyder, who was an attendee at the 
conference, said the company is treating the claims as real until it can 
be verified otherwise but, as of Oct. 2, the open-source group could 
only reproduce a denial-of-service issue that caused a browser crash.

"In some cases this causes a crash based on an out-of-memory error. 
Based on the information we have at this time we have not been able to 
confirm whether an attacker can achieve code execution. We're still 
investigating," Snyder said.

A few hours later on Oct. 2, after discussions with Spiegelmock, Snyder 
said the researcher provided more code along with a note explaining the 
extent of the risk.

In Spiegelmock's note, posted to the Mozilla developer blog, the 
researcher admitted the claims presented at ToorCon were a bit 
overblown.

"As part of our talk we mentioned that there was a previously known 
Firefox vulnerability that could result in a stack overflow ending up in 
remote code execution. However, the code we presented did not in fact do 
this, and I personally have not gotten it to result in code execution, 
nor do I know of anyone who has," Spiegelmock said.

"I have not succeeded in making this code do anything more than cause a 
crash and eat up system resources, and I certainly haven't used it to 
take over anyone else's computer and execute arbitrary code," he added.

On the claim that there are 30 undisclosed Firefox vulnerabilities, 
Spiegelmock pinned that entirely on co-presenter Wbeelsoi. "I have no 
undisclosed Firefox vulnerabilities. The person who was speaking with me 
made this claim, and I honestly have no idea if he has them or not. I 
apologize to everyone involved, and I hope I have made everything as 
clear as possible," Spiegelmock added.

Wbeelsoi could not be reached for comment.

"Even though Mischa hasn't been able to achieve code execution, we still 
take this issue seriously. We will continue to investigate," Mozilla's 
Snyder added.


_________________________________
Donate online for the Ron Santo Walk to Cure Diabetes!
http://www.c4i.org/ethan.html



This archive was generated by hypermail 2.1.3 : Tue Oct 03 2006 - 23:32:33 PDT