Just days after telling delegates at the ToorCon hacking convention in San Diego that Firefox was critically flawed, and the online reporting hysteria that followed, one of the two coders who gave the damning presentation has now admitted that it was just a joke. Neither Mozilla, nor the reporters and bloggers now busy wiping the egg from their faces, are laughing.

Mischa Spiegelmock and Andrew Wbeelsoi claimed that the way in which Firefox handles Javascript was so deeply flawed that key sections of the core code would need to be re-written, patches were not sufficient to save the browser from this vulnerability. They said that it mattered not which OS was used, the flaws could still induce both a crash and enable remote code execution on the target computer.

Now Spiegelmock has made a statement through Mozilla.org to put the record straight:

"As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has. I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code. The main purpose of our talk was to be humorous. I apologize to everyone involved, and I hope I have made everything as clear as possible."

Oh well, that’s alright then, no harm done. Apart from the fact that plenty of harm has been done, to the Firefox brand (many apply the no smoke without fire principle to such claims, no matter the truth or lack of), to Mozilla (developers worked through the weekend investigating the claims, attempting to replicate them, and that costs money) and also to online journalism which reported the ‘news’ as fact without any actual verification of that.

His partner in deception, Wbeelsoi, also claimed during the presentation that hackers were aware of some 30 more flaws, all unfixed, all undisclosed. Spiegelmock washes his hands of these claims, saying they were nothing to do with him. Wbeelsoi, for now at least, seems to be remaining rather quiet. Perhaps this is unsurprising, seeing as the details of his talk at the ToorCon website says that he ‘ruins things on the Internet professionally.’

In that, at least, he seems to be doing a good job...

About the Author

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Kinda reminds me of the story, 'The boy who cried wolf'. I honestly think that making such incredulous claims just for humor's sake and without actually doing research amounts to nothing but sheer callousness. As you rightly pointed out, the Mozilla developers worked the weekend trying to fix a flaw that did not exist! Who's going to make up for the loss the company suffered. More important than financial loss, what about the loss of face? Personally, these two programmers should be made to pay for the losses incurred.

Why do you think they played the prank on Mozilla and not Microsoft? I suspect the Seattle legal machine would have been in full flow by now...