Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers claim zero-day flaw in Firefox

Posted by ryuzaki0 on

An anonymous reader writes "The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here."

4 of 398 comments (clear)

  1. All security bugs are zero-day by Zeinfeld · · Score: 5, Insightful
    The term zero-day attack has become meaningless. In the days before there were mechanisms in place for rapidly distributing updates the majority of attacks used by hackers were age-old.

    Today the hackers have to work a bit harder so zero-day attacks are no longer rare. The vast majority of attacks are still from hackers who are reverse engineering the patches and distributing attacks before the patches are implemented.

    If someone reports a new attack against open source code it is by definition unknown before it is reported. Therefore all bug reports with security implications are 'zero-day'.

    What the idiots who released this exploit mean by 'zero day' was that they didn't allow time for the problem to be fixed before releasing the exploit.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  2. Re:Proof? by Stephen+Samuel · · Score: 5, Insightful
    Yes they did have a live exploit. The complaint is that they didn't even try to give Mozilla foundation an opportunity to patch the bug before the released it to the black-hats (along with the white hats) at the conference.

    The only difference between a zero-day exploit and a normal exploit is whether the person who finds the exploit allows a fix to be crafted before (s)he releases the bug that allows it.

    The main difference between Open Source groups like Mozilla and Microsoft is that (responsible) open source projects will fix potential security bugs whenever they're informed of them and whether or not there is an exploit available, while Microsoft seems to have a habit of holding off on fixing a bug unless the exploit is blatently obvious and/or there is an proof of concept exploit already in existence (and sometimes even in the wild).

    Given the way that these guys are touting how Firefox is vulnerable because they were able to find a bug that they refused to warn the firefox team about (like that refusal is Firefox's fault) I wouldn't be at all surprised to find that they managed to get some funding (either direct or indirect) from Microsoftl.

    --
    Free Software: Like love, it grows best when given away.
  3. Re:One of these guys works for SixApart by dorkygeek · · Score: 5, Insightful
    [...] Spiegelmock, who in everyday life works at blog company SixApart.

    This guy is simply a liability for SixApart, and should get fired immediately. Imagine what could happen if he manages to get the exploit code for this or one of the other 30 exploits they claim to have discovered into one of SixApart's blogging tools.

    But what do we know, maybe they have already done so. Judging from their strange "for the greater good" believes, I wouldn't be surprised about it. I sure as hell wont advise anyone to use any of their products until they've reviewed their code to make sure it doesn't sport one of Spiegelmock's toys.

    --
    Windows is like decaf - it tastes like the real thing, but it won't get you through the day.
  4. So I wrote to SixApart by Anonymous Coward · · Score: 5, Insightful

    Maybe you want to as well? This is absolutely retarded behavior.

    From: [me]
    Subject: Responsible disclosure and wreckless behavior
    Date: 1 October 2006 14.23.23 GMT-04:00
    To: mena@sixapart.com, ben@sixapart.com, brad@danga.com
    Cc: mischa@sixapart.com

    Hello,

    I read this article on ZDNet describing how your employee Mischa Spiegelmock found and revealed a zero-day Firefox flaw:

    http://news.zdnet.com/2100-1009_22-6121608.html

    Mischa and his co-researcher Wbeelsoi refuse to reveal specific details on the flaw--or 30 others they found--to the Mozilla Foundation:

    "The two hackers laughed off the comment. 'It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats, Wbeelsoi said."

    Considering LiveJournal's recent security flaws causing everyone to change their passwords due to browser-based flaws, do you really want someone working for you who makes the problem worse? To be sure, there is merit to the argument that revealing the flaws would allow Mozilla to continue to use a badly buggy implementation; however, there seems to be more to this.

    From FireFox's IRC channel, some dialogue from Jesse Ruderman of the Mozilla foundation, who attended (via Slashdot: http://it.slashdot.org/comments.pl?sid=198519&cid= 16265621 )

    " they claim they can make $10,000 or $20,000 selling a vuln in firefox
      compared to $500 telling us about it
      selling to other blackhats, anonymously, using onion networks, of course"

    Is one of your employees looking to profit of vulnerabilities in Firefox? With the large number of huge enterprises using TypePad and SixApart software, do you really want to risk him embedding JavaScript code to activate this flaw in your products? If he's saving these flaws to profit from them, what's to say he won't look for the bigger payouts of actively punching holes in your products?

    That's unlikely--but more likely is that your customers will hear about this and refuse to do business with you because you have an employee who is actively seeking to make the Internet a more dangerous place.

    If I misunderstood anything in these articles, I apologize completely. However, what was described in the article was so outrageous that I had to write.

    Best regards,
    [me]