Latest Web News

Australian prime minister assails Telstra chief's salary
Prime Minister John Howard of Australia and his finance minister took double-barreled aim Wednesday at the multimillion-dollar salary package of the chief...

HP jobs marched offshore
HEWLETT-PACKARD will axe 200 jobs and move the work to Kuala Lumpur as part of a cost-cutting...

Veridas collapse a mixed blessing for competitors
The redistribution of over 30,000 Veridas customers has meant gains for many ISPs, but at least...

10.03.06


Firefox Javascript Vulnerability Was A Joke

By David A. Utter

Instead of a dramatically vulnerable JavaScript engine in the Firefox browser, the speakers at ToorCon were presenting code that one admitted will not enable remote code execution.

Mozilla's engineers will continue to investigate potential issues with the way Firefox handles JavaScript, even though Mischa Spiegelmock has now admitted their presentation at ToorCon was a hoax.

Spiegelmock and Andrew Wbeelsoi made the buzzworthy claim that Firefox was critically vulnerable to attack.

Its JavaScript virtual machine could be exploited in a way that would allow someone to run arbitrary code remotely on a person's machine.

Window Snyder, chief security officer for Mozilla, wrote that initial testing of the code presented at the conference could cause a denial of service problem, sometimes crashing the browser.

She later followed up with another post based on an exchange with Spiegelmock, who wrote that he and Wbeelsoi were just trying "to be humorous":

Managed Hosting Solutions Powered By Rackspace

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution.

However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities.

The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Wbeelsoi claimed to have 30 undisclosed flaws he discovered in Firefox, and laughed off a request to submit them to Mozilla's Bug Bounty program.

That claim now looks less likely given Spiegelmock's statement.

About the Author:
David Utter is a business and technology writer for SecurityProNews, WebProNews, and InternetFinancialNews.
About DevWebProAU
DevWebProAU is for professional developers ... those who build and manage applications and sophisticated websites. DevWebProAU delivers via news and expert advice New Strategies In Development.

DevWebProAU is brought to you by:

SecurityConfig.com NetworkingFiles.com
NetworkNewz.com WebProASP.com
DatabaseProNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
LinuxProNews.com WirelessProNews.com
CProgrammingTrends.com NetworkNewz.com



-- DevWebProAU is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2006 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal  
archives | advertising info | news headlines | free newsletters | comments/feedback | submit article


Delivering IT Solutions DevWebProAU News Archives About Us Feedback DevWebProAU Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact