Firefox Zero-Day Code Execution Hoax?

Akon writes, "eWeek is running a follow-up story on the claim by two hackers that Firefox's implementation of JavaScript is critically flawed and could result in code-execution attacks. Turns out this is a possible hoax that was overblown for laughs." Mozilla's engineers say the risk is limited to a denial-of-service issue. From the article: "'As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code,' Spiegelmock said." Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.

Microsoft link?

[masklinn]

This is to be taken with a grain of salt and not as a proof of anything until further inquiries, but since it's going to be posted anyway it may as well be posted with some warnings:

A blog called Geemondo also reports that Mischa Spiegelmock seemed to have had dinner with Microsoft guys.

(PS: mods, if you want this post to be seen without me karma whoring, just mod it funny)

Re:Moo

[masklinn]

Anyone who releases it on their own is sued for copyright violations.

Actually not, it's trademark violation, and it's only if you release it under the name of "firefox". Call me the day when I can fork Internet Explorer and release my patched version as "Intarweb Implorer" without getting sued though.

Re:It's all fun and games until someone gets hurt

It was painfully obvious to anyone at the presentation that the whole thing was a joke. It was the best presentation I saw at Toorcon just for the hilarity factor. If they were talking at any other convention I'd go see them again.

Most of the press got the joke, laughed, and ignored it. It was some tool at CNET's fault for compromising his journalistic integrity and reporting satire as fact that caused the problem.

GMail and JavaScript

[Kadin2048]

You obviously don't use GMail,

You can use GMail just fine without JavaScript. It complains and writes you a message at the bottom of every page saying something like 'To take full advantage of Gmail, use a supported browser...'

It does however still work just fine without it.

Re:Sorry, that one's not a hoax

[Ja'Achan]

http://www.mozilla.org/projects/seamonkey/Seamonke y is currently using 351 MB of memory, according to Windows Taskmanager. That's after 5 days of uptime, and no exception. I know, it's not Firefox, but I suppose there is a large code base shared.

Re:Let's be honest.. Score -1: Flamebait

[Tim+C]

These days, "0day exploit" seems to have changed to mean "an exploit for which there is currently no fix". Not quite the same...

[Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.

It's been 4 minutes since you last successfully posted a comment.]

Re:Not a funny joke

[tsu+doh+nimh]

I think the most interesting part from the Post piece on this is this last line, about LiveJournal's Mischa Spiegelmock, who co-presented this Firefox malarky.

"The Toorcon talk was given by Mischa Spiegelmock a software engineer for Six Apart's LiveJournal blogging service, and a guy speaking under the pseudonym "Andrew Wbeelsoi."

Also, Wbeelsoi, or "Weev" as he is called by friends, is part of a group that calls itself "Bantown," a loose-knit outfit that claimed responsibility for a fairly high-profile Javascript attack against close to a million LiveJournal users, an attack that Security Fix profiled in January."

Re::-/ That won't happen, Six Apart are pansies.

[tlhIngan]

Mischa works for Six Apart _because_ Bantown "pwnzed" them two years back.

Six Apart didn't try to fight them, instead they tempted them with guided tours and positions in the company.

Utter idiocy.

Actually, there's more than enough supposition to imply that SixApart's software is contaminated with trojans. Face it, you have someone who wants to claim they have a flaw, and they want to make a secret communications network. The best way to do it is to use sites like LiveJournal and people who use software like MovableType (both SixApart products) to distribute your exploit. What better way than to infect LiveJournal users and readers, and readers of sites using MovableType (and several other popular blogging software) to get them to be part of your network?

Heck, because of this we can probably issue a statement saying that all of SixApart's products and services may be contaminated with trojan horses. Which may infect all browsers, due to claim by a representative of SixApart. (He may not be the official spokesperson, but since he was introduced as coming from SixApart, he is a representative of the company). And until proven otherwise, all their products and services should be considered suspect, maybe even blacklisted. It is a credible claim, and if this is a hoax, well, who's to say it is or it isn't? Maybe if they claim it's a hoax, their backdoor will stay open.