Votes | Average: 0 out of 5 Votes | Average: 0 out of 5 Votes | Average: 0 out of 5 Votes | Average: 0 out of 5 Votes | Average: 0 out of 5 (Be the first to rate this article) Loading ... Loading ...

by Mike Zazaian October 3, 2006 - 1:59pm, 1 Comment

Zero-Day Firefox Flaw a Hoax

Just two days after claiming knowledge of over thirty unknown Firefox flaws, hackers Mischa Spiegelmock and Andrew Wbeelsoi have admitted their claim’s intent was to be humorous.

The initial announcement came two days ago at the ToorCon Hacker’s Convention in San Diego. At the time Spiegelmock and Wbeelsoi claimed to have knowledge of a flaw by which hackers could run malicious Javascript code on a foreign Firefox browser, thereby gaining access to the victim’s computer. The hacker’s claims seem to be nothing more than a sham, however, as in a discussion with Mozilla security Czar Window Snyder Spiegelmock made the following statement:

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

And while Spiegelmock was not able to run malicious code with the alleged flaw, the Mozilla team is still investigating the possibility that Javascript stack overflow on Firefox could still lead to security issues.

Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously, said Snyder in a recent post on her Mozilla development center blog. We will continue to investigate.

Spiegelbock also claims to have no knowledge of the 30 other alleged flaws that were claimed during his and Wbeelsoi’s ToorCon presentation. Said Spiegelbock of the matter:

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

[via Mozilla Development Blog]