|
|
|
Firefox Zero-Day Code Execution Hoax?
By: Ryan Naraine
2006-10-03
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
A public claim by hackers that Mozilla's Firefox browser is vulnerable to multiple code execution vulnerabilities may be a joke gone awry.A public claim by hackers that Mozillas Firefox browser is vulnerable to multiple code execution vulnerabilities may be an overblown hoax.
On the heels of a ToorCon presentation where two security researchers—Mischa Spiegelmock and Andrew Wbeelsoi—warned that Firefoxs implementation of JavaScript was badly flawed and could allow PC takeover attacks, Mozillas engineers say the risk is limited to a denial-of-service issue.
Spiegelmock, a developer at Six Apart, a blog software company in San Francisco, now says the ToorCon talk was meant "to be humorous" and insists the code presented at the conference cannot result in code execution.
Spiegelmocks strange about-face comes as Mozillas security response team is racing to piece together information from the ToorCon talk to figure out how to fix the issue.
Mozilla security chief Window Snyder, who was an attendee at the conference, said the company is treating the claims as real until it can be verified otherwise but, as of Oct. 2, the open-source group could only reproduce a denial-of-service issue that caused a browser crash.
"In some cases this causes a crash based on an out-of-memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. Were still investigating," Snyder said.
A few hours later on Oct. 2, after discussions with Spiegelmock, Snyder said the researcher provided more code along with a note explaining the extent of the risk.
In Spiegelmocks note, posted to the Mozilla developer blog, the researcher admitted the claims presented at ToorCon were a bit overblown.
"As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has," Spiegelmock said.
"I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly havent used it to take over anyone elses computer and execute arbitrary code," he added.
On the claim that there are 30 undisclosed Firefox vulnerabilities, Spiegelmock pinned that entirely on co-presenter Wbeelsoi. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not. I apologize to everyone involved, and I hope I have made everything as clear as possible," Spiegelmock added.
Wbeelsoi could not be reached for comment.
"Even though Mischa hasnt been able to achieve code execution, we still take this issue seriously. We will continue to investigate," Mozillas Snyder added.
 Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
|
|
�������x}r8s;�ӮcV%UȖ\ִmy,UyF((�ئH�Iy�7��7-䥺未n��&DnH$�?�'I"gnZ΄ܦdwÀ�>]K$�B}�w�N��UQR #7((�bP�<�HwO7n[�Q0�R�?`���᳙*,�Q � tjGt0]2d�6;k6!o4vekOh cߨ_X&``1\t�|TA!j
�:iݒ |i @I>b(h]
](
Ѽ{�e�MQR`N
Cw&�tb9�Q�6�RV2/Fӽ<�t�[h��#k�|�E=x:Q/M+lဌl�ڮ�U�X'�[vR�Q(0B.Ą��u#wJ;qy�'M�8NfQ%p'F:rm3C������k>LNZ]@Z�3ˆ辥{$�)5�= \o4"�1lp2�rH
n>�,
ш��yiV�N8C�Ynհ}=
:ҍ�}4�.j.9b�M ͻ�S
��P2zhN4,2Q�Ȳn�Mw��Ͱ-P6CMT�jR?tދWwcwm9{�U�
wht?S)y{zY !�lݹ�ඒ�k%m�{|N�svN�5y��vty/��;YHL~'@DJ V,MD��&-ԁN�VP?� uΑjQ2[N-�K�j%�ɥ~hY̞o�� f�VҘ�'�UUXA[~6t.�˫nC�ӣn�;lL,!�V4*�V]?c[ˠjq}Ҿ~^{}rһ"ΧqٝF4pgs
Zʿ�~��'^=:$lrK��,���.i�TW%�vxC!u{L
,_e=h��!�_w��nr@
i/�]"�{�,Y`M��`�ImdƱ�(|Ǻ�r�N��d9AcE'}6kiJu�V�!`FC�ܺm���$9�(��ȟk4�R\� 9jb�)6�K .'7R�?o�fz�CU�C�Z9nVĨ9U�SA�EI7CD�
r23y�B(&�PHQ��>L�y%Ku}7�p�@W-CrlNVڒ1Wb{H
.Cu&͓Nk&E;~C�T�364>H�,H�!eݴ%�g榣V'cW*P\?,Ëʾ��b�(7ZdL��,��1,{Lt�y8��`���;}F_wgԴHwӈ<�:�M�/�C˥yj1�@�
L��^a� ;p�w�>-Fv9s�{Q �{>�0i��CkF�QD$��i��-D�@wM0I�e+�!3@uK LΝ߀2fà�F{t$�,/�#0/ Zm��{����Ae^~�}�̢!1y@��X�f`so뷺e#���97(�u`Hd˕�N���] cRRR$S !��hI#r����
B�,`@n%`� [AX;;�.V+�\0=�Je !3w�JRF;7фr��Z
z)2Ό�eVQYg0V-&D7rb�.G�EwKᙖ&Z1oY.+_çC&tc˰` #A�.kޣe�K0Pl;!i`�3Ԑ(ʲMg9@��߽h�
��Iߵo)y@�6Êi֜ᔂ�"����dujM3ˁ�2$v�W"tCh�j�5Xjoa��5�\'1nUK\�4�fX*hm�='�.�0bjj+iS w$mrn)�RЛv!s9n!�x�W.Y� ��2gxRUy�Qtʝ+PXY3V7�\EYbꞦq�H1g0dz7[V@q=13�7R�tgZ�C+>q^i.;[Oe]Zr{Q^ӛA'~.MB[+�ҞY�E��9&ےx��A-ʘ�ƗZZ"��J�P>VL"�Cɧ�qHL�d�-~6���pȞZc�7l`(`R5) KB+��٫ X37l�d �xA�qF�Fݔ`�AD�Ll5T� թz�4�}&I;{\OgH~uP9��s?Q,C,
��)L>Eװ�H��ZWS{�u��&<�$��2.|N\��+�Ё*8t퇙gpp0tׅ=%
Τ/x擫Np�ڊ:D�ۃ�h2�f��ñeH�!{ӞW+>(-jE)j4'� �q/#Y��/�m0ܱk]>bD�uD(-CZ!3���O�5uH8F_̈́OAM�
&89q8TU��&eL�Z�j9aJ;���=�J%Fh�\@Ae
S#<�~Ɋ0�
ClW��͵8�]\c�)>(`�ɲI�TNБ1�[DG ;@�nuESUG�݀ލ�n/�F���+ F��6@\=�<��vgS�(0f�ۦ
b�h�sڻm?O_9-b����:x�cqiy�@(xo8pL )h�
UK*~iϻ���{/R68F�2<"#��8\�fS>z�dVPBK&nΚ7���7ϣ=O!�cErzg�m2D8z0J�d�mؙY#Cf۴s:i&21065"Z` |�e>c'Ww�}}R�c'o!2Z��pgH7n�]Ǥ|m�,-n1y�c�%[Ŵ(n<0{�L3wF�>6
ink`dmh~U�+->Q#2!n�=�s?^�5r�U ˏ}b*kZQR^?�+8�rk4r�O,���ZKq~Z��kp��9
2j=uR/fK�ܦ��@vGܖ�[J,]�
Ba
u(
=(tם. �26�`I3I9�`
{iO4c��J7eFV*V$,< 7�C7{d',�LGI<~�:&.rOf�ss]����`@|7����#S�GRie�mR��ܑJ[ cĵ��)$j^�ç,D,_t�2jUk`W��ʠ��<� �j�;!�]8`�CMM8q����^ar0uq�8(��-E491���=�qhZ�a�v�OT+�f4A<8'ov/?Bﵺ05A���E6v܆kJV�~�ZgZ�q�t,+?v~��}@:iw>������?�N�ٿn0y�it����~_KKx�4Խhwq@*�V-~}hKև�?�M�F&;f�B�,&8o�IvI�s^i�{{j��+��ms2"8�.�d��hQo0�8筫��%Y�;$gu�oл�o=�rHp'Bju?\�$'d�0
s|i]E'�6b�L`fX&IEy#SW5C2�x0M���PX!�a��P��H��T
�dDۿ48|yQ$K�2c�]Z�qms�z}@iR'D[3pq*hKhwI�e�
ޜ,Hu9Ym@yjZӽM3%�[/GG�X ;[
.ViH�_8_`�t[g"�,G7��<�mt�!}6PR4jշΫV~D��C>lj9l01z�B>*�䴨��t#~Mbcsc�D�1u�wR;2x�;�yZ1�ݾpne9�r0�jw;t=z;Ojw]!3LرDݘ�~�h='�s� o. �cgm:;@�FP$w"B�+NQD=%��,`�*h
5nW�Kot!v\�u6\)ar�Js dނ�>3�ᛷ
6n�2'|2KO$ho�~QO�ƭovfCY�f=f/ݷvcW};Ǎ>--8t�Q#�Tiϑɘ&B�ARTUjln$�r�Y9sJE_V
;ld+NE�$Q�d1Ws0dƛ'q=K�}#uooo=ȥ��'֛ݥq=*A�O��O�4v�7
]ekw}B%u�J+z9nwZh�p;T�%%դYȁIQ�)"y�6Kh#jv.b_;+�&bidO1\C|Syg!,d���a���зF�؞qa��L��d<�J��;�o�oݍn T
f_�!O�#%�FJ
,Q`mZ��9_�к õQ`V���Ǵ�_p8|#؈fo_��O�6oNƂ1f̙�ʈ1W�M�|c�b
|cI5�%���?D8�M{fr+
�7E�An˸�!E%Ö�d�N._��2�Y�l떟2d]�3u5p,wU<~/n?ZP>/�U��6.G7;:���dn|p�
e�eѳ̆Z.j�xFwP#/7F�1_�|1p≠չƜc���h#@0`jyͧqSjE.;lk|0x%Gc�0Иsfq�
hh5o�9)iQ?8F*4{\ӑ��trao/$?t�،%4I�,�g0m>U�vp'O�.J`�;o�&ڍ2�.NWZ
�^v�B\W&b
u更B�i�2PI�<9��)
�\;]1](Q�BK�qT=zg[qŜP?w:'IM�T�F_p%ϫ|-'5X%ۋ
J.ɼn�vY=�$= ?�:I6=$R����ĩkz_TJX,:s O8u@ZDCFI$R3�GH�=�xVHh�˘.S�� ]"wk<60xrbh�!r 6á�]IҰTYpazӸ)19hԄk�S|]q~L%,h[g��eϺ6�}�y&6 lb_R�|uQkrz&!&F -'+~vĶc�ųz@\�o=,^�k9�v M.j.] XPݽPm�ұkRI#,^qؾ18 ��A���!�@��yB�9�B<)m
ReSz|R˄e?H`N��R-գ�dh_HEr$�IR�M�跪�ʲN� '�T[-bԏ�vJ��zш1)Hs��!,Z�"h?6�:�1^JJU鈆t;I�Hw[��iJ';�D`EY��dJUk�QX%��ֈZ�3%L�%͐o^�mt<,5_��$]}�
,
q2�8�EK{{{{[xe<��q��+$�*�,c*���,>xtA7�R~�WDBSv�:mW[>czy�⋹i,g~/��H=:RGfTGV(�уtrk�1GIZE5\-K�/Ψ8z\�����YnH��]Dy�JOykCz1�k'V�QBde�(�'TZ}LjxL�kzx41ȕfg��w@V<လ.� B$1D�� H�xTgSԜЯD`�3^ސ/Esx델#0Z�p<�Q����I~C%#�,O^P�[ZZ#bO$$�$aMA��I�HV�CՒsw+4چVy]uy\K�Gs'K`�%?p�:@>>u&�^j[xl ]��=o]h�ho]a@^�7��
n�tjR[?�Qk<4���ۛ��{ӱ67n�шWT܉=ek@�L�fgiǃ�p���D�Ĺ#p
+~mo"ݦ�]�G]gl1���z��%%L!GO)��o OA"��MI:
Jq�Kmss�Eu^O�BXe~
փƷjP��1&#߽�N��#=1��chѻ�%ѻ$Ǻ7��k>^�wy
�㹍i?Sʼn�7K-L)��nw�$~/F�F㎆8ZrD'ꇡ;+4w6XViG@sy5ϣ{tn�wXWKIܲ��V�@
55`~�#7}�6�nʭ`��PR'���}u<;-���zmnMo7
qW;6;7oQHvjcm^*㵙$=mVx{�7i�S`�W۰:ư:�/5|`�Y�mZ8Og-]@6cc5�Ҷn�ޮz�=W?�!,�DS�2ĚdQ+i�錂qn
�i�3ƚe�5�.&2�ֵ7
�5�OZM{_ڋKۨ_x*��8�&y�0ZX�'�x�>#b1EKl���@.hr�]LY>�̆-
L7|q|�7w-
L4.N-£E��t�^"7 œ˂hgϡ?:n$K��x|�V&��>I%4&Kux�� �̰6$o�,SPc�G4S3T4k�L`o0I_7nmCL=��SN|5�ɚy�NxNtyN)(Ȣ#)fF<��&Lq�j=!vc`~�)}�+n-{sxb(fUj*Wra8uf>I�#)�mQ�Na�?c,o7o"nJ[�@�!�Z��Sep-t�|
Y?�*ªF��wi�p|R
�_�ڡoF_
+uMi
f9&t��0�|�Q'W�;Jέ W�,�Oҧ�E2jɣv#/'#w��yKjf�ݷ1a�,�֠i]fa�Z<<}Q,mJ)Ag'��\$�|�֢N��cˡWǪ%chٱƙ.�JW�FƮA�wN
�0s{EMF^[5X�lDqMg+vb"m7\%�p+p|?p5n/��/�s�Y5�00وڳb
CUU\Q=@!�K([�q[ֿ�|Ɍֲ:m��g�&�_cLѹ'�
��}(W' n$�yVmIz .�kx�>ahˏ�Rkueaj+;Z�Akj���=ҡ?+qܑuf�m�B+�Nd'�&
):g]Б�ܟޔjmO*oIgO8��}x|�m@� "6
?��Ki;�-bWld�b$@�����;\w:"=gs?��>zxX�2b��嵅DGt7wtq3�Sgn1��0
^R��PԘ:� !'@vq]Q
\ Cw�Fr}`|bL]e@q0�qaqn�?�pБ`�%A� H3v�ht+J 3\"�9'0�ឩS1,_3-�kD�M(q�i+8<4>?_IN1%
ၰ
�5"��
B�[TvmDRRi�c��Ox
1/R}XQx*̆RǠ{=dl��Uo%P`�qT|8snj}J"
|o�P"1XJeF.J'e��E �d��3�w���
s�!�)�u7S�I�u�~
v�K�
.X`���,2E<�Cezw?,����wSܕkوx���df:�,EףΛ]-GAGG71`�Tg8�X�Kں9�PAS(?)�-�sa~/r�".`.r��#z _z9�2>.˜~r�猿��7ȡ?�?�}}̡OP)�)g|�rw
y@9{
_
wCi]'I9z�[9|ֺą۩�QNy<ʡJ�E5ৼrXB]Cy<*PC/nr
���
SG0V[<|*eM+5VkZpWrHi3=""C�
ITMV�Yi2ZUٯk��%�QP�e��h�[i2�oVS�y�Vi8�n[�C DK(��x�>Xx}c6Dx�_ƌmBfH��6T<�'u~�m'X
v;n;+.la5)"RCvwi̯[N4f
AL
�Ifn|1@u4b�5V$G3x7X05:�%�xl��(1�L=-i�o�B+�_!c��ZC�S@e8>�cc>mTώ�;[9���Wuu;2b;xR
��Hv[l�,��)1 {��;KH6ĥf� `?94Ǟ(ـ�O咤 X+.Ġ/�>''4WB)��~�EE�`A�0^|e�D$u�@'�
�;؆OnS�C��>X��X��e-s0ŬBSh�<�)O?'[nG\�k<>a�i$xM��Zձ]w
�O 7�g}L��_�ΦJu!AY�?_�vs[>/R`p <Щ�1T\bգJʶ�E9b�릍
�Ѩi�pKTؖEn��dS^moymOEmY>m�Ѝ5�O1ngNb�k�*�χŀ�{̾1�^f#9uVOed�g)�dr̅�2 !ɴyyU~ҥ�N�.I,g`aQd+$*)�ؐ��W
���k`4bV@��1,F�,�o�ԟ�N*)As�a#�El���[ApV7�.]2�8Lg��3E~1㡺_0�U9um�j ֺW6x�ozc|�[D,5ba:(�ɯz��0��
�\M萻kÔpaif�#3�S{�3�;߂ �i�x�v�4d31#7Dj0BrH
d[H_مt&�v3�k�)/�YH~1
�� �<9�9�.@$�NSP_X1�]< :L+ �s+
�Sq�|�|>,]S��,w1NZݳ�<|;�X�it0y҉�.3J�bq')t?��V��zW X7u㆗�pxі6�EKB];Y��B*E�wj���T7 r9̳�ś|`bhPgr09d֎��VMMn3a-dcˤ_�lhT3L+��
|
Network Security & Hardware 
