FireFox javascript flaw claimed to be unfixable, turns out to be a hoax
At ToorCon hacker conference, two hackers claim to have discovered an infixable flaw in Mozilla Firefox; a day later
say the entire thing was a hoax.
Two hackers claimed at ToorCon that the open-source web browser Mozilla Firefox is critically flawed in the way it handles JavaScript.An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said. The presentation sent Mozilla Corporation into a panic.
Spiegelmock detailed the Javascript 'flaw', showing a slide that displayed key parts of the attack code needed to exploit it and said that "the implementation is a "complete mess. It is impossible to patch."
The two hackers claimed that the flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. Javascript flaws have been a particularly nasty headache for Internet Explorer and Microsoft in the past. Various programming exploits cause a stack overflow error and allow a hacker to take control of a computer.
Snyder, chief security at Mozilla, had said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal." "If it is in the JavaScript Virtual Machine, it is not going to be a quick fix," Snyder had said said.
The hackers went on to claim they know of about 30 unpatched Firefox flaws. They said that they did not plan to disclose them, instead holding onto the bugs.
Initially, security experts were doubtful and said that there was too much hype, and maybe the Forefox javascript flaw is not so easily exploitable. However, a day later, the hackers admitted that they intended the presentation to be humorous, and they have never done the exploit nor do they know about 30 other flaws. Snyder can sleep again!
|
