Firefox Zero-Day Code Execution Hoax?

By Ryan Naraine  |  Posted 10-03-2006

A public claim by hackers that Mozilla's Firefox browser is vulnerable to multiple code execution vulnerabilities may be an overblown hoax.

On the heels of a ToorCon presentation where two security researchers—Mischa Spiegelmock and Andrew Wbeelsoi—warned that Firefox's implementation of JavaScript was badly flawed and could allow PC takeover attacks, Mozilla's engineers say the risk is limited to a denial-of-service issue.

Spiegelmock, a developer at Six Apart, a blog software company in San Francisco, now says the ToorCon talk was meant "to be humorous" and insists the code presented at the conference cannot result in code execution.

Spiegelmock's strange about-face comes as Mozilla's security response team is racing to piece together information from the ToorCon talk to figure out how to fix the issue.

Mozilla security chief Window Snyder, who was an attendee at the conference, said the company is treating the claims as real until it can be verified otherwise but, as of Oct. 2, the open-source group could only reproduce a denial-of-service issue that caused a browser crash.

"In some cases this causes a crash based on an out-of-memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. We're still investigating," Snyder said.

Read the full story on eWEEK.com: Firefox Zero-Day Code Execution Hoax?