Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Firefox Zero-Day Code Execution Hoax?



 By: Ryan Naraine
2006-10-03
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A public claim by hackers that Mozilla's Firefox browser is vulnerable to multiple code execution vulnerabilities may be a joke gone awry.

A public claim by hackers that Mozillas Firefox browser is vulnerable to multiple code execution vulnerabilities may be an overblown hoax.

On the heels of a ToorCon presentation where two security researchers—Mischa Spiegelmock and Andrew Wbeelsoi—warned that Firefoxs implementation of JavaScript was badly flawed and could allow PC takeover attacks, Mozillas engineers say the risk is limited to a denial-of-service issue.

Spiegelmock, a developer at Six Apart, a blog software company in San Francisco, now says the ToorCon talk was meant "to be humorous" and insists the code presented at the conference cannot result in code execution.

Spiegelmocks strange about-face comes as Mozillas security response team is racing to piece together information from the ToorCon talk to figure out how to fix the issue.

Resource Library:

Mozilla security chief Window Snyder, who was an attendee at the conference, said the company is treating the claims as real until it can be verified otherwise but, as of Oct. 2, the open-source group could only reproduce a denial-of-service issue that caused a browser crash.

"In some cases this causes a crash based on an out-of-memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. Were still investigating," Snyder said.

A few hours later on Oct. 2, after discussions with Spiegelmock, Snyder said the researcher provided more code along with a note explaining the extent of the risk.

In Spiegelmocks note, posted to the Mozilla developer blog, the researcher admitted the claims presented at ToorCon were a bit overblown.

"As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has," Spiegelmock said.

"I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly havent used it to take over anyone elses computer and execute arbitrary code," he added.

On the claim that there are 30 undisclosed Firefox vulnerabilities, Spiegelmock pinned that entirely on co-presenter Wbeelsoi. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not. I apologize to everyone involved, and I hope I have made everything as clear as possible," Spiegelmock added.

Wbeelsoi could not be reached for comment.

"Even though Mischa hasnt been able to achieve code execution, we still take this issue seriously. We will continue to investigate," Mozillas Snyder added.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Firefox Zero-Day Code Execution Hoax?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ks8q8c=mGJɖkDzoRJE1EjIʏٻ|9u_zP9LlFwh4~ 'I"nZΘt\snS?úO Y'Tw>{ &(ɑԫ1m3HnwݶN-gP'^> \?g3Q;Y|I uBģZr$˺79hmyakjtUP)^rӽm˙?X8Nͯ_zJY4E9.W9~`h-v$CNeS<> i^/;YJM~gDR˅4D>-āWP O:5=(G~o[MюR=6,gfV҈ gUUYNڭ~S~6.vEv ;l,aR422V,]鮘FȏwAժy|qӾlvoz{MOVY;i O׵V?\vO|SQ&:aZ+UCIͽGf=jIo]} L9X@/@ש#V4XliBuV!`J 0snr@kFPYD`6R\ 9lb蚏)6B̄H )7R<&,)|YB* brݢPP3nS%EI7#DD vxr!DKI88c^IR]E1\a>pY<8vwެ,U*մ޹-~iQwθ~j?^wսuS5>`Ub}PhvZM]qsuTSt*t o|5"o+rOLf[ԑplP)uu~L>NR}:;SjZim;Ni(|I}ѦޣR?ݘXiI70i|V8; uCuӹga {>0kJY-j$nh-DCwM0Ie!S uG νdrgoM~يС4}aqjS?g !Tg ,zzC 3PlmNl}h`1 5%aF@i0xz dQJ d$@!-i]R@Az6W? -,rrl++~'azGBjK%6Os@PG҅;vjP*τbZ z)0ٜʬ$5M힟 X*ȉ#m"0%X -gZ Xk5 Z)m *LBO{ؕaIQңF +<)d[L9<p`]?bn;N %=&^>95Y ->ƘMG {D&f+Lo>L>hQox@F6}Sˀ)4+9pPs >`|=-0Xհݹ2|dң%}?p*JNC_kVzq}nMAV?Ty v|9p‡9E#rUϚX 5<.&B#5w&Q OzBnehJJ*$,4)ŠpdjKݼ^`";hqNNRНB#@9zQ/OJb-yhֽkmH_ƠT:. B[+ M 2%W}kaԕ %/DA n:bXG6X}iМ^fdTR0iMfuYMܛwXTM.r_ }dҶlߪ%M*ǚvX>ڹe3 %P$wSJ$l%KWw΀ 7=`tu3 :`3ǟGRlC2DhR+}ne@ͤԪ)X[3T2.Q\&V,'`#z3F K~,Y\X/+]6|vjN YG:=4̄+ud'T-q?xluj )ՃYk;kH %1cs@M$ knV2 &Gmܑk}6euE׏$cifSKc9h& g֐ziDe˜,Za秺 #ؚy~Sms;䚻!`Pcfqu-Tn\wlSIBnmLqb ֚p성 .c"}=v0"tn‚_8R" @54ÀЇ>B SL@ΧrE\ ~1~1UŠP=I) ]`u0$VT!rBs=?w2_!挮t!VBLqQT*8+ :?#UQ@H3jw4'8M??5Yk>+zCG>s.y >{VN0aE>yL Z<|˰"U` }JZYPIb+ģCYV WMUpn`wy~t=t@hCxZ &`i@%p LM{baJ)?oZy6,3yZD]bRYEGʚQzCԂ3~Sb_@TrX-=o7k"뵿8KAG^320"C;wF\!dVS_C܏3ܷ V}uP@&ra;9Qo@Homs11 ZH$;QOHů07$pkVRRXU V_Aұg.s_wf=]~oLgƩ4>ʀkG2gdQ hVz\ 4w2<uMo 4yQFkoZ,+eeXS/ JU-A^Mo6=IT\SGQ>8{Ic#&a\kxkc_(uO( Eōj4 Jz7Ϣ C.͂[-2B0qR3ڛ5^@M|KZO 0u%hzGSYqza\/Cn/$h ^1Mu0@glJwѸ\C8fSqlYV&Up]t3Mb>ҁh 0>0Rlʪ+> 2*ijARϢs{@:Lpz]Qd:)nQ==յћY GL)߭q*9WIfT.jZb[)Uʹ>"4G\0R,W1<ʢ'rUN6._-Jvq *s>P9۷BlpH75SXp| ^?KXXD>DQkz\{e"nxB* GF Dccb^fsq`zUljS( -$P! WAhx/nL00<ŠqR ,JapnϏHAcg˾t/> ~?<o&crj8Gji%< 8ԾlqDJ-~~lJNCj Gya8dF&{PvB, oIŸ}/gvj45a>hF!$ _9ݎi\h_/~v/1h_dcxx\Mc{RG!hUHӋV:<fShmǛ&akC2Ȱ J_ƥ{l]sf녨kZ ^k5WE.'27Le8^Fh9²VXȬE`&|oH2<(_1aXH\R ~tDݻh|su؋n/rm D78C*QW"REh%IA&5[g <=@9NhDﵿHעo1Mr!}J_cNf4~ ɮP=8Y,rh%縵vRt/0?xԾh z?&i^3_"TS8L,ӤN)fTSeoy0;F{8쀒N1{TlOء F]nĖGS9^)ŔN yr4 GAGJ脊fye5))eH5NRMLC]OC/$$;kB:z{ gaM.m2j;vn_"'X;[ .VH0_Ӹ\bOD XY+oxt7>CT䵤 g[YUHN~@)!\8)Tz@0QH刜|1}~XU=&k?7nLq;f='Fs)= cm:{@'4wX\/f8#-[wzzMYFg_ oc$Ǿv/ݻw~Zؖ[q*A-wC<L>?Fdc: M"I^U֭UdU)I=YE㣑)?8b[0d&zvA JGs`̞xqK7bRco}|}& ~ ]=PI=w)~=Ғ(r_ZDNq5Q {qI9.x}?,J`\Ty^v} l$>?G{o[#D:*pctOxcZy‡i襖<<79wBf#AVާA#k~2l_r1! Zf̅S|QN-V6 O r/υ퓎x㶃>v6~L8cBehTq#rRLMС8#Rx\Qc)~PcS U'6>ݯ?UD;w?7y LbZZzlQvx/`A /;(+1r9:){b::9z'Cq$me0Xj)1GtO@8Nb \teI? :ˢ2cܽr ܟՄexs9NS^>vc"P }Sפ0]G:wYȽ`vO}cqD 0$B~!"J=eNS2eb-_s*xFS*Rx! b5_S6! ;J,LCEeyDmyJ$.$/6,,$_gJg~oT-8H w@0 )ev @ /o [uRn &x1I$*ǒV(+Yz*J8PlaJ,YϠJoO B /olҋ[(g) (EspʚCE!h oF{Jڄe}ˊ;qI$IۚKʯ%tB]:A,A MPs@),FAA-+ZeaH>S),R 6ȶȇϣRElIHŽ$QhGmSk[2Z鵕[CMQ zu_,IMV j\^n €d!Ad}>:;HGo^x!ݞOAlɘ׵[ڭ::fe^LPS) <ꌃ Դc}H,>3cRKuoa^Us2l Hx D M~F+7KӳW.Ģw%@0u/1o(\/+16.@"$@vTؖO"ւiԟ:I1:<<<<<*j[sӈ9:s?8fggmSx_koJj^]?!hv#rU+9B׸B3-`)~lag&5]q5_"c|?P|ooހ$)W>HA?|Kt[VھD| 9&eug6@Ih;SP F }~gZ;;^38䆩E^BXe~ ͌HBv(F|>tt>s)bzhK]K~{ ![W\}hYV;sH瘺:X;moI2^~N[mj`SƒY'ۃ{_B#>TՇB!}#w:+ +ly֫ߪެ۶0uܙn[H&=q:; s,zm*m QTkvmXo ,!۩i4mcl(M#ۀږձ4U(JV_ Uֿe=:uR¶Y,{eeYufc~P2ofph֒_fX+l%I"q0M;-)┉fnem%s_1zI4pEҘXȓ z`]g2ε7 Oz_ڋK۪_xhƗy0X 'lӈat7b%1Y~Gj .P5>f>&vDxr~vk|>īO{A'"Wx"( x%}-^U;{U9q#_@gf`ebJ4$t{#iWʃOdg@a]IY06NYl !Mqìf0m!۟`n3ջy+9q#3ga(,'*׏{M2'k:s@w»fOaR-:'ηk "Eoe! <7N҅=k=&o Ȯ{O0=`ˊvמSN|l:.Zë*juo- \qI B(l;hF)ElX Ay5F?PM=Ǐ{PDntQ+"NݧPVô-P'Ʈ$JjadwW$ƽ2tyϽgLdzlG꨺X[a0Ć>1V&GBA8AXJo,"xa/quQ%ǤHFpxAҲSWK%6qN"F dr«B.]sI /j*ʡZrXB Zk^YR+Ȉz~btτƌWGSj9椷 GgTG`j/RM`oybTy \3nlN!Vy <7LqavlS;Xif›yb+n'-浻sx"(ͪNDj`h}ȉF=3<4I\1ړnc̝ JZP-0o鞍KRa )z:kJ%:0Y>GN$(b azH' `- fl9 c;ZV]Mx_A/Ԯ,x'h> +^Rc"Wc,3|:;a>iҩ HZ۠[*н"%,g3¿?bu{ι0naeY_+ 6Ƕl[va|Duv7H Xp,+F"ͨa8TJ[ J}F0+'[q{Zak`&.c+obD )m3Fw4ƿB< Ex SO L%& J!4w\CP |*S7R(?hUeqb+;Y75 /[U@ğ8AnIݲYAЊo>co+I XPpsMA9(WTD~Nɇ ̋XL t4*$:m;A=~}DLRO@\NDCVY `Oh$~b ɳ"uFf."T( E5`뭛VWF\nz~uC@,6ѝ &u.nE4uO]5N?9$.+Ja SН!:̳!c6^؟ްn?Eo9fkH s)J~kZ7^_CiJ 8 `8.pgj9T%R]&P9 dU ?M=/׽nrj5-i`Ik„HJzyqbZŘ!c^r {n{")f%9 'l0KDg>ȧn1JO \-B@e=Dqyy<}I Āb)(aU T- !Lz)%n67p>9,a4`\Xg- .E.[q͠v?]_f5:bgé`\u l9 :U@ g>򽉡0usk5s3RC´vxX-nB<䱤P <'<,M8 7,X2| =<RXX_1[> MꪂOJBveX &zT<>KAguUr VH+^@03:% .$͈ɵ?ѝXz39^9nHI}ow/I{} \MGݩ;'e}gXa&hT慾,g6OFYi1;eNq(5q&cW#\]drxixɎ(ah,.6 (o/6PJTَ/!jbTթ0MW?&az uӲrj:ٙ%k.uXOw>>r:X)x񡖫pXmn¸~(hOu{it/[zhR `Nj_׌/P%ʯח6S](f#ח7VF)/?eCF?|۹y{}yпvF?Ӿ(3k/WQ?/aw2Ƨw2N|o'O'>N^f ?eCyFߠo(d^f%e\]f_O7CtAt3U\W_\gOe{c}G௏ ?e~2A(*h&࿛ Ku1Ay#CWpz~;"9(/'R*zUK˳C(ge3Vna{Ar!W{e_/C@qҾ:6 aqʍz^S_xښꖽpۭ]hp_l %^a/ ^敽I<"xEǹW4<< X1rnm٘5=QǒGЬ]#=D(Kse&os?`$Qv=Po\pm⦠ϻ]O^-AkO[/&7S0."ţ;ZʈP}vdmoCd yJ$ٟ>xP[Йq%IޢD)Fyk@ǡ[x7J nAmzӏg4j`/Ƈ{̧dAMeGӠ[Y"B8#`%1zIfa4GfƄ=oIF.1"u`-!l>EM++J9wWrD&0qz@0lcjJUNmaX,.g /(@#غ̷|R'C7<8iRq x+ҷM!'\Ix«&ƫ2& dofsaSKp^Wv,PX0~YDP*`! K؞.^͇$ ?X?ġi3Ǥm!clɢ]k*bC5 t81tj;Ì,aarQ z[a6ݡ]GC)<:8e`NW>KDr&ߢ5zOG T2A[hUe?q jg'4WB&* U|6B:4>89ao5RFXk;MAc>l:h}rWswläd9|Y«U/=ׇ"2cX =7=Gcd\xjA߭ed#əW B| ,*-Ŋ] i;j3L뱻$0\d~\g;[n `Bj9c<~"E a'_C X戄=$~5|w,C左cS%m^Π&b/;yvԷeE&PL1)¶c)Jq񥙼$tnR'K;"=oPmJO0wKw ,CQ6v>LSc? `nwf9cˎXQYɶz S~j\O(Coݒ\k<>ai$xSfyc<znG}޴_Ë%:=-Y0 p,^ftO#m<` G&J$߀)0t1Fu:h /Asl+ 6- - `⚈meF6M֦2QTD )Ybd휙f * '8"U]ۼx[9ԋO0xmѕhOql>-/#]^$&+$~Il=au+Wrcd+{f:ePBEXl'!R5+Ke$Viإ5EE6*Ѝ5ϰ|3'5ȱ ya1 g{y6W=?5z3lvf~wxq*'\`Tb T.7/ZKwc~/ByֽKgN$g~V;v@;赿hT*㉋oZŧ݋u nғ/RXFYzhI:f+ AHdcfC"׳o .A|>Ǩy6xL 2kV*wN㛼VtƦI:1qzr{aL셳Qbm٦dUi29J{) qE˕4>9f07Nw6Є В'nvbe}:4+