It was reported over the weekend in c|net News that two hackers claimed the Firefox Web browser is critically flawed in the way it handles JavaScript. According to the report in "Hackers claim zero-day flaw in Firefox":
"An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.
"Internet Explorer, everybody knows, is not very secure. But Firefox is
also fairly insecure," said Spiegelmock, who in everyday life works at
blog company SixApart. He detailed the flaw, showing a slide that
displayed key parts of the attack code needed to exploit it."
As reported in by Robert Lemos for SecurityFocus in "Mozilla flaws more joke than jeopardy", Spiegelmock has apologized, indicating that the presentation was intended mainly as a joke:
"The main purpose of our talk was to be humorous," the 19-year-old researcher said in the statement.
"As part of our talk we mentioned that there was a previously known
Firefox vulnerability that could result in a stack overflow ending up in
remote code execution. However, the code we presented did not in fact
do this, and I personally have not gotten it to result in code
execution, nor do I know of anyone who has."
Although
it is reported that there were those at the presentation who recognized
it as an attempt at humor, it is refreshing to read the comment by
recently hired Window Snyder at the Mozilla Developer Center
:
"Even
though Mischa hasn’t been able to achieve code execution, we still take
this issue seriously. We will continue to investigate."
No comments:
Post a Comment