Slashdot Mirror
Firefox Zero-Day Code Execution Hoax?
Akon writes, "eWeek is running a follow-up story on the claim by two hackers that Firefox's implementation of JavaScript is critically flawed and could result in code-execution attacks. Turns out this is a possible hoax that was overblown for laughs." Mozilla's engineers say the risk is limited to a denial-of-service issue. From the article: "'As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code,' Spiegelmock said." Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.
The first time that I actually started to worry that FF might have a problem, and that I should be careful, it turns out to be a hoax. I don't know whether to be happy about this or not?
Support NYCountryLawyer RIAA vs People
Maybe we could debunk the Firefox is a memory hog hoax, too.
What a fool believes, he sees, no wise man has the power to reason away.
The NoScript extension is like a firewall for your browser. I install it on every computer I can lay my hands on.
Neither am I.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
Or until someone wastes time taking you seriously.
Yelling "bomb" in an airport isn't funny. Neither is this.
Next time, make it painfully obvious you are joking so people don't waste valuable time.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
No change there then.
So, let me get this straight. Microsoft opens the code for their browser and lets people look at it, and submit "patches". All patches must go through a slow for approval (for good code) process. Anyone who releases it on their own is sued for copyright violations. And anyone who reports a bug mysteriously reports the next day it was a hoax and a joke.
I want this Microsoft FUD to stop right now!
oh, wait, this is Mozilla? Err.. umm...
I wholly support Mozilla Corparation's moves in the Open Source community, they are right in this case, and anyone who goes against them is against successful open source projects.
Have you read my journal today?
And, this should noted, this should NOT be limited to security exploits and hoaxes. It's twice as true for news that really matter. Too many people want to believe what they hear as long as it fits their personal point of view, without even questioning whether something is true or not.
As long as it fits into their view of the world, it becomes true for them and they perpetuate the lie.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is to be taken with a grain of salt and not as a proof of anything until further inquiries, but since it's going to be posted anyway it may as well be posted with some warnings:
A blog called Geemondo also reports that Mischa Spiegelmock seemed to have had dinner with Microsoft guys.
(PS: mods, if you want this post to be seen without me karma whoring, just mod it funny)
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
Now I don't feel so bad for making fun of their last names!
I'll bring the feathers.
There is also a post about this on the Washington Post. Apparently, they were just having fun?
If I was Alistapart, I would have gotten rid of this "clown" immediately.
[alk]
I laugh at the incredulous panic that this hoax creates. If you stop a minute to analyze (and maybe comb the crumbs from your disgusting neck beard) you would realize this means very little to 99.8% of the computing world - those of us with spouses.
Oh and I don't count Apple fags as computer users.
The following replies are posted by unwashed nerds.
at all my peeps who are pro-IE. They bashed me with this zero day thing till kingdom come and now I get to throw this back in their faces. Funny... I get to do the same thing about the Buffalo Bills.
Help me get a new laptop - http://nocreditcard.yourgiftsfree.com/?id=3012
Are nerds really that unsocialized that something like this qualifies as humor?
The skillless losers from Bantown whose purpose in life is to stir up pointless drama don't actually have any real exploits? Surprising.
The Firefox team should stop thinking about adding new features in order to just take away market share from IE and start doing the basic things: perform security reviews and fix the COPY AND PASTE.
Maybe the developers seek fame (for themselves or their product) but have no substance?
Linux violates 235 Microsoft patents.
Turns out this is a possible hoax that was overblown for laughs
Knee jerk reactions and FUD just doesn't happen here on slashdot. We have cooler heads than that.
FireFox has no exploits. All exploits are actually in IceWeasel, to avoid legal action from Mozilla.
In other news, Microsoft has said thet their version of Genuine Internet Explorer has no bugs, and any bugs, must be due to a bad download, or user tampering. As such, all user installs of Internet Explorer will be renamed to "Meshed-Screen Interpolated E-reader" (MSIE for short), and will subsequently be subject to licensing fees.
Have you read my journal today?
Somebody may have some anecdotal 'evidence' that they ran it with a small memory print but generally Firefox will bloat to several hundred MB and keep climbing unless you close it completely and restart it. Don't go blaming it on extensions either, that's a cop-out that wouldn't fly if it was MS doing it.
Let the speculation about whether this was FUD funded by our favorite Redmond-ians begin
This is my sig. There are many like it but this one is mine.
So-called security experts who lie about exploits and vulnerabilities need to be held liable for their statements. Their remarks were libelous whether they were done in jest or not.
They need to be made an example of...
I think that these two were looking for a little fame ... and did not realize how the professionals would react to their claims.
Once they realized that the professionals (who are better programmers than they) were looking into their claims, they fell back on the "it's a joke" claim.
You obviously don't use GMail,
You can use GMail just fine without JavaScript. It complains and writes you a message at the bottom of every page saying something like 'To take full advantage of Gmail, use a supported browser...'
It does however still work just fine without it.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It takes a very rare and specific skill set to write a memory corruption exploit. The fact that one person was unable to go from overflow to arbitrary code execution proves absolutely nothing about whether doing so is possible.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
If the CNET folks didn't get it, the panel should've made sure they did.
Any prank like this NOT done on 1 April needs to end with "and for those of you who left your sense of humor at home, the preceeding presentation was 100% pure entertainment and any resemblance to reality was purely to tweak your nose. Please stay for the next panel on novel approaches to perpetual motion. Thank you."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Andrew Wbeelsoi is an anagram for Barelee (barely) Windows or A Windows Rebel (extra e).
Mischa Spiegelmock is an anagram for "Im lame. Check gossip."
Odd.
Seriously, I'm not.
Colour me paranoid, but this looks like Spiegelmock got a call from the spam/botnet mafia: "We know where you live. Deny everything, or else...".
If it's Firefox it's a bug.
Features don't get fixed unless they're in danger of being sued. Bugs get fixed as people can get to them.
-- Tigger warning: This post may contain tiggers! --
Now people claiming to "represent wbeelsoi" are claiming that despite Spiegelmock not knowing about it, the 30 exploits are real, and it looks like they're even trying to extort MoCo for $50K?
I must say, the reason I wanted to avoid Opera is not because of the software itself. It's the political reasons. I don't lose very much by staying with FireFox, who's open source ideals I agree with more than Opera. That's assuming Opera truly is better. I do, however, respect Opera for sticking their neck out as an alternative browser.
Reality is nothing but a collective hunch.
You are a fucking idiot.
is anybody really surprised this is a fake? i mean look at how stoned they are!
You mean Six Apart hasn't sacked Spiegelmock yet? What's Mena waiting for? Maybe she's having all the chairs in her office bolted down in case she has the sudden urge to impersonate Steve Ballmer during the exit interview. I know if I caught an employee pulling the shit Spiegelmock just did on my watch, I'd need the most sound-isolated conference room in the building.
This sig intentionally left blank.
would it be funny to everyone if this was IE?
He ain't so easy on the eyes, is he. Oh wait, I should be careful. He might not hack my browser! Nooooooooo!
by the time it's made it to Slashdot, or any other major website for that matter..it is highly unlikely that it is actually "Zero-Day" (aka "0day"). Zero-Day would mean that the exploit was really fresh, as in very few people are aware of the exploit. Or, interpreted literally, it would mean that it had been less than 24-hours after it is first discovered.
Why are people trying to resurrect this old buzzword? It is starting to get old (re: 'TERRORIST' old..).
I'm not impressed. I thought this was supposed to be a tech-savvy website?
Censorship is obscene. Patriotism is bigotry. Faith is a vice. Slashdot 2.0 sucks.
For example, the modern military body-armor. It is still possible to hurt a soldier into the neck or leg.
I mean the state (or states) should attack the culprits back and bring them to justice for the harm they invoke.
When I was in my teens, a local high school student killed himself on stage during theatre practice.
From what I heard, he intentionally sneaked a real gun in place of a prop so he could go out with the cast watching.
This was a long time ago.
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
These days, "0day exploit" seems to have changed to mean "an exploit for which there is currently no fix". Not quite the same...
[Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.
It's been 4 minutes since you last successfully posted a comment.]
It's official. Most of you are morons.
... for the Religious Right.
https://bugzilla.mozilla.org/attachment.cgi?id=241 005
I have trouble buying the whole just having fun angle. Call me paranoid, but I smell FUD...
There is breaking news that all windows bugs and exploits are actually hoaxes as well.
No, it's not.
I'm with some of the folks here about secondary verification.
Something deep inside me gives a knee jerk any time a developer or product engineer starts any sentence with "I have not succeeded in making this code do..." or "I cannot reproduce..." (no pun intended).
I think Firefox is pretty good. So far (since the first public betas), I get very few issues at runtime (besides the occasional spin-forever cursor when Firefox encounters a site with some really bad browser-side code.)
A Passionate Independent Musician
Anyone else notice that A. Wbeelsoi is an anagram for A. Web O' Lies?
Well seems like my notion was right after all.
They are nothing but sad wannabes, scriptkiddies who wanted to pose as l33t haX0rZ. Well, heads up guys, this will have been your last convention for quite some time because somehow quite unexpectedly (for you) most of the community didn't go "we really got punked!!! LOLOLOLOLOL! you win teh internets!" Bottom line. Don't be an asshole, or you will pay for it.
+++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
Moreover, what we used to call a 'hang' seems to be a DoS. In order for firefox to be DoSed, the browser needs to be performing some security-critical service. Firefox is not a service, it doesn't have anything in /etc/init.d/ or whatever your OS does. Firefox hangs.
It leads to a piece of JavaScript - either an attempted proof of concept, or just an annoying fork bomb - I didn't bother to work out which, but either way, I recommend sticking with "Save As" or wget or what have you.
Everyone here should read this article:0 /zeroday_firefox_exploit_claime.html
1 /account_hijackings_force_livej.html).
http://blog.washingtonpost.com/securityfix/2006/1
It actually turns out that Mischa Spiegelmock and Andrew Wbeelsoi are closely related. As we all now know, Misa works for LiveJournal. Andrew Wbeelsoi is part of Bantown, who claimed responsibility for a Javascript attack on LiveJournal (see http://blog.washingtonpost.com/securityfix/2006/0
The two are obviously related, and LiveJournal should consider immediate termination of their employee Mischa, as he is in league with Wbeelsoi, who attacked LiveJournal members themselves.
Here as some nice quotes from the article:
"We do have exploits for all the stuff we're going to show you," the 21-year-old calling himself Wbeelsoi said. "We'll give them away to anyone who proves their actions are going to be politically motivated. We don't care what side you're on as long as you commit yourself to destruction."
"We were just trying to have some fun up there," Spiegelmock said.
Mozilla should really consider civil, if not criminal actions. Damage to the Firefox brand has already been done, regardless if the exploit is real or not.
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
I happen to have semi-distant (FOAF-ish) contact with the folks in question, and I can assure you that this was purely a quest for lulz that succeeded far beyond any expectations they originally held (i.e this was nothing more than a fanstatically successful troll intended for hilarity's sake). I mean, come on: the file name for their presentation was "omfg.ppt", the "sploit" contained numerous references to "loldongs", they gave shouts to #bantown, etc. Only an uptight, self-serious open source zealoturd could've missed the humor.
seriously. just because you've got a stick up your ass because your favorite open sores project is being made fun of, doesn't mean their shit was unfunny. Google up omfg.ppt if you want to see the original lulz.
Mischa works for Six Apart _because_ Bantown "pwnzed" them two years back.
Six Apart didn't try to fight them, instead they tempted them with guided tours and positions in the company.
Utter idiocy.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
You do know that people from #bantown and so forth have in fact BEEN INVITED TO six apart and LJ's parties? It's just a joke from a group of people who get many lulz from internets jokes, don't get your panties in such a twist just because a couple of lolz have been had at some dumbass "we're taking over the world and we're serious and never mind that we're living in our parents' basement" open source project's expense.
I have a great idea for the advancement of Open Source: let's put all the license debating, internets lawyer, mailing list clogging flapjaws and zealoturds in a great big pit and let them fight to the death over whatever the hell it is they're making a big self-important stink about this week. Debian political flamewars, Apache wankfests, LKML turd flingers, all of them: big pit, lots of melee weapons, napalm to settle it.
The rest of us can get back to Fucking Coding, which is the only thing that Gets Shit Done.
To drag this mini-rant back on topic: if the same effort that people have devoted here to defaming the messangers Mischa and Weeb (calling them variously crooks, cranks, juveniles, etc.; calling for them to be fired from their employers, calling for them to be sued, etc.) were put into some god damned code inspection and verification of the FF codebase (code peat bog? :P), then just MAYBE we'd have a better world tomorrow instead of the same old same old codebase being defended by a pack of slavering, self-righteous open source wingnuts.
Slow Down Cowboy!
It's been 11 minutes since you last successfully posted a comment.
It's been 12 minutes since you last successfully posted a comment.
That blog post is 9% incoherent gibberish, 90% a pastebomb of Mischa apologizing that for other people's lack of a sense of humor, and 1% link to an easily faked image that PROCLAIMS to show a person who MIGHT be one of the presenters of a JOKE presentation eating what COULD be dinner with people who MAY or MAY NOT work for Microsoft.
Please, use a grain of salt before you believe everything you read on the internets, young man.
OT: It's been 25 minutes since you last successfully posted a comment. What the shit is this, taco? Are all your users as slow thinking and typing as your fucking gang of "urrr, css is hard, this is going to take a while" chimps?
This clearly show that gullibility is a flaw and sure these guys may be clowns but OSS is a big target for this kind of FUD - I say they showed that a major OSS project can be exploited by social engineering.
"Speigelmock" now that is funny.
Your search - omfg.ppt - did not match any documents.
Suggestions:
* Make sure all words are spelled correctly.
* Try different keywords.
* Try more general keywords.
my password really is 'stinkypants'
The images seem to be coming from the hoaxer / pranksters own site. Check the facts man, then be a moron if you want to. I could not understand what you wrote either!
So can I curse Taco too. Chimps rule! unlike imps like you.
I did not see you logged in, chimps don;t login because they are lazy and cool!!
What a fool believes, he sees, no wise man has the power to reason away.
Blackhat hackers really are ugly, disgusting losers. Nice skin, dude. Nice hair, too. Holy fuck.
You might get a refound for defective appliance if you return to sense of humor right away.
The picture and idea is false, I don't know who is in that picture, but it's not mischa nor the guys from ms who were @ toorcon. Furthermore, I know they didn't eat out with anyone on saturday night, and they hid all day sunday in their hotel room.
Its hard to go from overflow to arbitrary execution. Its freaking trivial to go from arbitrary code execution to a black hat library. All the bad guys need is one really smart guy and that exploit is then in play for anyone with a modicrum of technical skill. Thus is pays to be really freaking vigilant about memory management.
Incidentally: you can fool some of the people all of the time, you can fool all of the people some of the time, but you can not fool all of the people all of the time. Similarly, you can manage some of memory correctly all of the time, and you can manage all of memory correctly some of the time, but you can never manage all of memory correctly all of the time. Programmers should exit, stage left, from the memory management business. It is a security vulnerability and it always will be, the same way crypto routines are always, perpetually vulnerable. Do with memory what we do with crypto: have guys far above my pay grade define a few primatives after subjecting the field to rigorous study, subject those primatives to massive amounts of testing lasting decades, and instruct mere mortals to never, ever, ever re-implement a primative even if they think after 2 hours of reflection "Hey, I can save 2% of my clock cycles and STILL be just as secure!"
Help poke pirates in the eyepatch, arr.
> I have not succeeded in making this code do anything more than cause a crash and eat up system resources
:D
Okay so it's not a bug at all, just normal Firefox behaviour. Fine, we can all rest easy
What is worrying is that now if a serious bug is found in Firefox, people will not believe it.
These guys just released a type of so called vulnerability. It is able to crash a system. But what the purpose to attract a user to webpage just to crash a system? Guys made useless job or came upon the vulnerability by ocassion and made some ad for themselves. And trick Mozilla's staff for a couple of days :)
Have fun while you live
So a pair of crackers get up on stage and describe an exploit with no proof and some people are surprised when it's a hoax. When you consider the primary motivation of many crackers, the hoax shouldn't come as a surprise. Every cracker or wannabe cracker that I've ever met is a sad individual with low self-esteem looking to counter this with a bit of ego boosting. Why else do a lot of the more theatrical exploit demonstations come with an obligatory swipe at the quality of the code they have supposeldy exploited? The truth is that many crackers are piss poor programmers who spend ages poring over code that they themselves lack the ability to have written. When they find a possible vulnerability, rather than reporting it to the authors and waiting for a timely security update to be released, they try and boost their own egos by demonstrations at some toe-curlingly named conference.
If you look at their blogsite you will find Microsoft mentioned in there. http://www.sixapart.com/ gives this on netcraft wich i find perticularly interesting....: "a.microsoft.com Microsoft Corporation, One Microsoft Way, Redmond, 98052, United States January 2005 AkamaiGHost" ...etc, the list goes on and it looks like an effort to hide something.
Are they affiliated with Microsoft in any way as this suggests its much worse than some stupid prank.
HTTP/1.1 400
As predicted here
FYI YMMV => I only spent 15 on this topic...
A fool throws a stone into a well and a thousand sages can not remove it.
Great artists steal.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
How much? I'm up for some easy money.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
There was going to be a presentation on a javascript XSS exploit in one of SixApart's most popular websites right afterwards too that sorta had to be called off at the last minute.