Text 13110, 65 rader
Skriven 2006-10-03 13:22:36 av Rich Gauszka (1:379/45)
Ärende: Firefox hacker exposed as fraud?
========================================
From: "Rich Gauszka" <gauszka@hotmail.com>

looks like the vulnerability only crashes the browser now

http://www.vnunet.com/vnunet/news/2165546/fifefox-hacker-back-peddles

A security expert who claimed to have discovered a critical vulnerability in
the open source Firefox browser has retracted his original claims.

Mischa Spiegelmock over the weekend demonstrated a Javascript vulnerability at
the Toorcon hacker conference in San Diego. At the time he claimed that the
flaw would allow for remote code execution and boasted that he knew of at least
another 30 undisclosed vulnerabilities.

Spiegelmock has now admitted to Mozilla that his security vulnerability would
only crash the browser and that he had been unable to execute arbitrary code.

"The main purpose of our talk was to be humorous," he said in a statement that
was posted on the Mozilla website.



"Rich Gauszka" <gauszka@hotmail.com> wrote in message
news:4521b1f3@w3.nls.net...
>
> http://arstechnica.com/news.ars/post/20061002-7885.html
>
> Firefox is loaded with security flaws, according to a hacker duo that
> presented at this year's ToorCon. Mischa Spiegelmock and Andrew Wbeelsoi
> used a session at the show to highlight what they have called "a complete
> mess" that is "impossible to patch" in Firefox's JavaScript
> implementation. According to the pair, the implementation is home to at
> least 30 possible exploits, all of which they plan to keep to themselves.
> CNet's Joris Evers brought the story to light this past weekend, but
> reports are surfacing everywhere.
>
> The presentation, dubbed "Lovin the LOLs, LOL is my will," actually only
> focused on one flaw, which the presenters said affects Firefox on Windows,
> Linux, and Mac OS X. The exploit reportedly causes a stack overflow by
> merely including a small snippet of JavaScript code on a webpage.
> Spiegelmock and Wbeelsoi have declined to fully detail the exploit,
> however, leaving Mozilla a bit in the dark. In fact, after a Mozilla
> employee exhorted them to report the flaw and collect a $500 reward,
> Wbeelsoi said "what we're doing is really for the greater good of the
> Internet, we're setting up communication networks for black hats."
>
> Mozilla's head of security, Window Snyder, indicated that Mozilla believes
> the exploit to be real. She has also said that the presentation given at
> the conference contained enough information that other hackers may be able
> to reproduce the exploit before it can be patched.
>
> Reports of the flaw come less than a week after Symantec's biannual
> Internet Security Threat Report indicated that the number of browser
> vulnerabilities is on the rise. Firefox led the pack both in terms of
> absolute number of vulnerabilities disclosed on the last six months, and
> in terms of percentage growth over the year. The report also noted that
> Firefox had the lowest "window of vulnerability," meaning that the time
> between identification and fix was comparatively shorter that for other
> browsers. Nevertheless, the current state of affairs has led many readers
> to start joking, "Firefox: the next Internet Explorer."
>
>

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)