Mischa Spiegelmock has now said that the talk "was to be humorous," and that the presentation covered a "previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution." In other words, they didn't discover a new flaw.
Spiegelmock said that the code they presented to attendees does not not actually work, lowering fears that a true zero-day exploit could be in the wild. To make matters more embarrassing, Spiegelmock also said that no one has successfully executed arbitrary code using the attack.
So... looks like Firefox has a bug problem on its hands.
Says Ars Technica:
"Firefox is loaded with security flaws, according to a hacker duo that presented at this year's ToorCon. Mischa Spiegelmock and Andrew Wbeelsoi used a session at the show to highlight what they have called "a complete mess" that is "impossible to patch" in Firefox's JavaScript implementation."
The article also notes that Firefox has the largest number of vulnerability disclosures in the last six months (the good news is that Firefox also has the shortest turn around time in patching them).
I suppose this was inevitable as Firefox increased in popularity and usage. Looks like we're in for another round in the open source software debate.
The Ars article mentions this post at the Mozilla Developer blog. Here's a link to that blog's main page.
No comments:
Post a Comment