Please support our Web Development advertiser:
Featured Entry 
Oct 4th, 2006, 3:21 pm
Just days after telling delegates at the ToorCon hacking convention in San Diego that Firefox was critically flawed, and the online reporting hysteria that followed, one of the two coders who gave the damning presentation has now admitted that it was just a joke. Neither Mozilla, nor the reporters and bloggers now busy wiping the egg from their faces, are laughing.
Mischa Spiegelmock and Andrew Wbeelsoi claimed that the way in which Firefox handles Javascript was so deeply flawed that key sections of the core code would need to be re-written, patches were not sufficient to save the browser from this vulnerability. They said that it mattered not which OS was used, the flaws could still induce both a crash and enable remote code execution on the target computer.
Now Spiegelmock has made a statement through Mozilla.org to put the record straight:
"As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has. I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code. The main purpose of our talk was to be humorous. I apologize to everyone involved, and I hope I have made everything as clear as possible."
Oh well, that’s alright then, no harm done. Apart from the fact that plenty of harm has been done, to the Firefox brand (many apply the no smoke without fire principle to such claims, no matter the truth or lack of), to Mozilla (developers worked through the weekend investigating the claims, attempting to replicate them, and that costs money) and also to online journalism which reported the ‘news’ as fact without any actual verification of that.
His partner in deception, Wbeelsoi, also claimed during the presentation that hackers were aware of some 30 more flaws, all unfixed, all undisclosed. Spiegelmock washes his hands of these claims, saying they were nothing to do with him. Wbeelsoi, for now at least, seems to be remaining rather quiet. Perhaps this is unsurprising, seeing as the details of his talk at the ToorCon website says that he ‘ruins things on the Internet professionally.’
In that, at least, he seems to be doing a good job...
Mischa Spiegelmock and Andrew Wbeelsoi claimed that the way in which Firefox handles Javascript was so deeply flawed that key sections of the core code would need to be re-written, patches were not sufficient to save the browser from this vulnerability. They said that it mattered not which OS was used, the flaws could still induce both a crash and enable remote code execution on the target computer.
Now Spiegelmock has made a statement through Mozilla.org to put the record straight:
"As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has. I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code. The main purpose of our talk was to be humorous. I apologize to everyone involved, and I hope I have made everything as clear as possible."
Oh well, that’s alright then, no harm done. Apart from the fact that plenty of harm has been done, to the Firefox brand (many apply the no smoke without fire principle to such claims, no matter the truth or lack of), to Mozilla (developers worked through the weekend investigating the claims, attempting to replicate them, and that costs money) and also to online journalism which reported the ‘news’ as fact without any actual verification of that.
His partner in deception, Wbeelsoi, also claimed during the presentation that hackers were aware of some 30 more flaws, all unfixed, all undisclosed. Spiegelmock washes his hands of these claims, saying they were nothing to do with him. Wbeelsoi, for now at least, seems to be remaining rather quiet. Perhaps this is unsurprising, seeing as the details of his talk at the ToorCon website says that he ‘ruins things on the Internet professionally.’
In that, at least, he seems to be doing a good job...
This blog entry was written by Davey Winder, staff writer aka happygeek. It has received 1,539 views, 2 comments, and 1 linkback. 2 voters have rated this entry an average of 4.5 out of 5 stars. It was promoted to featured status Oct 4th, 2006.
•
•
•
•
advertising advice antivirus apple botnet browser business crime daniweb data development dos email encryption exploit firefox forensic google hacker hacking hardware help ibm internet iphone linux malware mcafee microsoft mobile mozilla news phishing privacy programming report research search security software spam trojan video virus vista web windows worm yahoo youtube
All Recent Tags Comments (Newest First)
happygeek | He's The Daddy | Oct 5th, 2006
goldeagle2005 | Finkus Stinkalotus | Oct 5th, 2006
•
•
•
•
Kinda reminds me of the story, 'The boy who cried wolf'. I honestly think that making such incredulous claims just for humor's sake and without actually doing research amounts to nothing but sheer callousness. As you rightly pointed out, the Mozilla developers worked the weekend trying to fix a flaw that did not exist! Who's going to make up for the loss the company suffered. More important than financial loss, what about the loss of face? Personally, these two programmers should be made to pay for the losses incurred.
Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Web Development Marketplace
Related Blog Entries
- How many developers does it take to build Windows 7? (11 Hours Ago)
- Wikipedia for the Diplomatic Corps (1 Day Ago)
- How to kill the Apple iPhone killswitch (2 Days Ago)
- Intel: no more Centrino Atom chipsets (4 Days Ago)
- The Italian Job blows doors off Swedish pirate ship (4 Days Ago)
- Are you EV SSL enabled? (6 Days Ago)
- A winning Wii in the Olympics swimming pool (6 Days Ago)
- VIA sees 'no future' in making chipsets for Intel or AMD (8 Days Ago)
- A Golden Age for Olympic Coverage (11 Days Ago)
- Google to Force-Feed More Cookies (11 Days Ago)
Related Forum Threads
- javascript works in IE but not working in firefox (JavaScript / DHTML / AJAX)
- I hate Firefox! (JavaScript / DHTML / AJAX)
- Problems with Firefox Isearch (Viruses, Spyware and other Nasties)
- Firefox Hackers Discovered. (Web Browsers)
- Firefox versus Internet Explorer? (Web Browsers)
- Firefox Myths (Web Browsers)
- Javascript problem in FIREFOX (JavaScript / DHTML / AJAX)
- hover over text tips (JavaScript / DHTML / AJAX)
- Taskbar Address Bar and Firefox (Windows NT / 2000 / XP / 2003)
