Votes | Average: 0 out of 5 Votes | Average: 0 out of 5 Votes | Average: 0 out of 5 Votes | Average: 0 out of 5 Votes | Average: 0 out of 5 (Be the first to rate this article) Loading ... Loading ...

by Mike Zazaian October 1, 2006 - 2:38pm, 1 Comment

Hackers Announce Critical Firefox Flaws

A flaw in the way Firefox handles Javascript could make it exceptionally easy for hackers to gain access to computers running Mozilla’s flagship browser.

An announcement by Mischa Spiegelmock and Andrew Wbeelsoi at the ToorCon hacker’s conference in San Diego suggested that simply running some malicious javascript code could grant hackers access to any computer running Firefox. Spiegelmock and Wbeelsoi said the flaw exists in Firefox on all platforms, including PCs, Mac OSX and Linux. Speigelmock called the the flaw A complete mess, and added that it would be impossible to patch.

The announcement comes just days after Symantec claimed that Firefox had 47 known flaws between January 1st, and June 31st 2006. With 47 vulnerabilities, Firefox claimed the dubious honor of being the least secure amongst popular browsers, with 38 for Internet Explorer, 12 for Safari, and only 7 for Opera during the same six-month period. Mozilla security chief Window Snyder said the alleged flaw will be investigated, although it may take some time to repair. Said Snyder:

If it is in the JavaScript virtual machine, it is not going to be a quick fix.

And while is always glad to be informed of a new flaw, she was angered in the way that the two hackers released the data. It looks like they had enough information in their slide for an attacker to reproduce it, said Snyder. I think it is unfortunate because it puts users at risk, but that seems to be their goal. Spiegelmock and Wbeelsoi also claimed to have knowledge of 30 other unknown Firefox flaws, but will not release the data to Mozilla, instead holding on it for presumably dishonorable purposes.

Also in attendance at the conference was Jesse Ruderman, a Mozilla security employee. Ruderman was called up on stage during the presentation, at which point he attempted to convince Spiegelmock to hand over the flaws to Mozilla’s security department. I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets, said Ruderman. In response Wbeelsoi laughed, responding:

What we’re doing is really for the greater good of the Internet, we’re setting up communication networks for black hats.

[via cnet]