Hackers claim zero-day flaw in Firefox?
You are here:  SillyDog701 > Message Centre > Firefox, SeaMonkey and Netscape > [sdt=12152]
SillyDog701 Forums
Author Message
J-M
diamond member


Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
01 Oct, 2006 2:52 pm Hackers claim zero-day flaw in Firefox? [sdp=77854]  
From the Sunday news at http://www.whitedust.net/speaks/3006/ :

Quote:
SAN DIEGO, Calif.--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here.


This entry is pointing to ZDNet news as well.

CERT organisation US-CERT has assigned a specific Current Activity alert too:
http://www.us-cert.gov/current/current_activity.html#ff0day

and vulnerability advisory BID20282 (i.e. Bugtraq ID) has been assigned:
http://www.securityfocus.com/bid/20282/info

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Back to top profile website
Antony
Site Admin


Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
02 Oct, 2006 10:20 pm [sdp=77941]  
Cnet News.com's report: Hackers claim zero-day flaw in Firefox

Quote:
The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."


Quote:
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.


Perhaps, this is the best quote:
Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure,” Mischa Spiegelmock, a SixApart employee.

SixApart is famous for Movable Type professional blogging software.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.9 (KHTML, like Gecko) Safari/419.3
MozInfo701 | MacCentre701 | AntBlog701 | don't steal music.
Back to top profile website
Antony
Site Admin


Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
02 Oct, 2006 11:22 pm [sdp=77943]  
Response from Mozilla Developer Center (beta):

Quote:
Possible Vulnerability Reported at Toorcon
When someone says they’ve identified a vulnerability, we treat it as real until we can verify otherwise. We immediately begin investigating and trying to fix it. This is how we’re able to ship fixes so quickly.

At Toorcon this weekend, two speakers claimed they found vulnerabilities in the Javascript VM. Of course we take that very seriously.

So far we’ve been able to reproduce a denial of service issue based on the information they gave during their talk. In some cases this causes a crash based on an out of memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. We’re still investigating and we’ll keep you updated.

-Window Snyder


In plain words, Mozilla confirmed the code can cause denial of service attack.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
MozInfo701 | MacCentre701 | AntBlog701 | don't steal music.
Back to top profile website
casey1992
junior member


Joined: 29 Apr 2004
Posts: 19
Location: Wisconsin, USA
03 Oct, 2006 11:38 am [sdp=77968]  
Here's what was posted at developer.mozilla.org late yesterday. The significant part is the "apology" from the "hackers". It's short, so I'll quote the whole thing.

Window Snyder wrote:
Update: Possible Vulnerability Reported at Toorcon

We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:

Mischa Spiegelmock wrote:
The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder


I suppose it'd be a good idea to update the information on this site's main page. Smile

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1) Gecko/20060918 Firefox/2.0
Last edited by casey1992 on 03 Oct, 2006 11:41 am; edited once(1)
Back to top profile
J-M
diamond member


Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
03 Oct, 2006 1:13 pm [sdp=77972]  
This was covered at the following eWEEK article too:
http://www.eweek.com/article2/0,1895,2023762,00.asp

New information:
Quote:
On the claim that there are 30 undisclosed Firefox vulnerabilities, Spiegelmock pinned that entirely on co-presenter Wbeelsoi. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.


I agree that some updates to thread description are needed.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Back to top profile website
Antony
Site Admin


Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
03 Oct, 2006 9:28 pm [sdp=77980]  
Thanks for providing following up updates. MozInfo701 has updated the article to reflect new information.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.9 (KHTML, like Gecko) Safari/419.3
MozInfo701 | MacCentre701 | AntBlog701 | don't steal music.
Back to top profile website
Display posts from previous:   
Reply to topic    Forum Index > Firefox, SeaMonkey and Netscape All times are CST (GMT -6)
page 1 of 1
To add your questions, comments, and for more features and more, please join SillyDog701 Message Centre. It's free! This is SillyDog 701 Message Centre (SD701 Forums).

iTunes Movie Rentals iTunes

*Search | FAQ | Rules and Policies | MozInfo701 - Mozilla Information Centre | SD701 Open Directory | Message Board Map | download Netscape