Just days after telling delegates at the ToorCon hacking convention in San Diego that Firefox was critically flawed, and the online reporting hysteria that followed, one of the two coders who gave the damning presentation has now admitted that it was just a joke. Neither Mozilla, nor the reporters and bloggers now busy wiping the egg from their faces, are laughing.
Mischa Spiegelmock and Andrew Wbeelsoi claimed that the way in which Firefox handles Javascript was so deeply flawed that key sections of the core code would need to be re-written, patches were not sufficient to save the browser from this vulnerability. They said that it mattered not which OS was used, the flaws could still induce both a crash and enable remote code execution on the target computer.
Now Spiegelmock has made a statement through Mozilla.org to put the record straight:
"As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has. I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code. The main purpose of our talk was to be humorous. I apologize to everyone involved, and I hope I have made everything as clear as possible."
Oh well, that’s alright then, no harm done. Apart from the fact that plenty of harm has been done, to the Firefox brand (many apply the no smoke without fire principle to such claims, no matter the truth or lack of), to Mozilla (developers worked through the weekend investigating the claims, attempting to replicate them, and that costs money) and also to online journalism which reported the ‘news’ as fact without any actual verification of that.
His partner in deception, Wbeelsoi, also claimed during the presentation that hackers were aware of some 30 more flaws, all unfixed, all undisclosed. Spiegelmock washes his hands of these claims, saying they were nothing to do with him. Wbeelsoi, for now at least, seems to be remaining rather quiet. Perhaps this is unsurprising, seeing as the details of his talk at the ToorCon website says that he ‘ruins things on the Internet professionally.’
In that, at least, he seems to be doing a good job...
