Editor's note: as this story progresses, we are adding updates down below. The current word: this is a hoax.
The original story
Firefox is loaded with security flaws, according to a hacker duo that presented at this year's ToorCon. Mischa Spiegelmock and Andrew Wbeelsoi used a session at the show to highlight what they have called "a complete mess" that is "impossible to patch" in Firefox's JavaScript implementation. According to the pair, the implementation is home to at least 30 possible exploits, all of which they plan to keep to themselves. CNet's Joris Evers brought the story to light this past weekend, but reports are surfacing everywhere.
The presentation, dubbed "Lovin the LOLs, LOL is my will," actually only focused on one flaw, which the presenters said affects Firefox on Windows, Linux, and Mac OS X. The exploit reportedly causes a stack overflow by merely including a small snippet of JavaScript code on a webpage. Spiegelmock and Wbeelsoi have declined to fully detail the exploit, however, leaving Mozilla a bit in the dark. In fact, after a Mozilla employee exhorted them to report the flaw and collect a $500 reward, Wbeelsoi said "what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats."
Mozilla's head of security, Window Snyder, indicated that Mozilla believes the exploit to be real. She has also said that the presentation given at the conference contained enough information that other hackers may be able to reproduce the exploit before it can be patched.
Reports of the flaw come less than a week after Symantec's biannual Internet Security Threat Report indicated that the number of browser vulnerabilities is on the rise. Firefox led the pack both in terms of absolute number of vulnerabilities disclosed on the last six months, and in terms of percentage growth over the year. The report also noted that Firefox had the lowest "window of vulnerability," meaning that the time between identification and fix was comparatively shorter that for other browsers. Nevertheless, the current state of affairs has led many readers to start joking, "Firefox: the next Internet Explorer."
The zero-day debate
Spiegelmock and Wbeelsoi declined to discuss how they identified the exploit, but it has occasioned a return to arguments over the security of open source software. Opponents have long argued that open source software is inherently unsafe because Bad People™ can pore over the source code looking for exploits. Opponents liken it to publishing the blueprints to a fortress. Open source advocates have argued the opposite, namely that publishing source code ultimately results in more security. The more eyes that pore over the source code, it is argued, the more likely it is that vulnerabilities will be discovered and fixed.
The truth is likely somewhere in-between. Publishing source code certainly does raise the possibility of an exploit being found via that same source code. It's what happens after the flaws are found that seems to stir so much debate. Human nature being fickle, there's little to recommend predicting one outcome over another, especially in an environment where exploits can be sold to the highest bidder for nefarious means.
The after-story... there's no story at all?
Mozilla has been able to reproduce a DoS issue based on the information, according to a new post on the Mozilla Developer Center. So far, they have yet to determine whether code execution is a possibility, but say they are "still investigating" and promise updates as necessary. Nevertheless, it's beginning to look as though this was largely a prank.
Mischa Spiegelmock has now said that the talk "was to be humorous," and that the presentation covered a "previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution." In other words, they didn't discover a new flaw.
Spiegelmock said that the code they presented to attendees does not not actually work, lowering fears that a true zero-day exploit could be in the wild. To make matters more embarrassing, Spiegelmock also said that no one has successfully executed arbitrary code using the attack. "I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code," according to comments on Mozilla's developers blog.
As to the claim that there are 30 known exploits in Firefox, Spiegelmock said that the claim was made only by Wbeelsoi, and indicated that it, too, has not been verified.
reader comments