Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Zero-Day Code Execution Hoax?

Posted by ryuzaki0 on from the shouting-fire-in-a-crowded-fox dept.

Akon writes, "eWeek is running a follow-up story on the claim by two hackers that Firefox's implementation of JavaScript is critically flawed and could result in code-execution attacks. Turns out this is a possible hoax that was overblown for laughs." Mozilla's engineers say the risk is limited to a denial-of-service issue. From the article: "'As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code,' Spiegelmock said." Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.

3 of 215 comments (clear)

  1. Microsoft link? by masklinn · · Score: 4, Interesting

    This is to be taken with a grain of salt and not as a proof of anything until further inquiries, but since it's going to be posted anyway it may as well be posted with some warnings:

    A blog called Geemondo also reports that Mischa Spiegelmock seemed to have had dinner with Microsoft guys.

    (PS: mods, if you want this post to be seen without me karma whoring, just mod it funny)

    --
    "The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
  2. Re:Moo by masklinn · · Score: 5, Interesting

    Anyone who releases it on their own is sued for copyright violations.

    Actually not, it's trademark violation, and it's only if you release it under the name of "firefox". Call me the day when I can fork Internet Explorer and release my patched version as "Intarweb Implorer" without getting sued though.

    --
    "The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
  3. Re:It's all fun and games until someone gets hurt by Anonymous Coward · · Score: 5, Interesting

    It was painfully obvious to anyone at the presentation that the whole thing was a joke. It was the best presentation I saw at Toorcon just for the hilarity factor. If they were talking at any other convention I'd go see them again.

    Most of the press got the joke, laughed, and ignored it. It was some tool at CNET's fault for compromising his journalistic integrity and reporting satire as fact that caused the problem.