Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Zero-Day Code Execution Hoax?

Posted by ryuzaki0 on from the shouting-fire-in-a-crowded-fox dept.

Akon writes, "eWeek is running a follow-up story on the claim by two hackers that Firefox's implementation of JavaScript is critically flawed and could result in code-execution attacks. Turns out this is a possible hoax that was overblown for laughs." Mozilla's engineers say the risk is limited to a denial-of-service issue. From the article: "'As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code,' Spiegelmock said." Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.

32 of 215 comments (clear)

  1. Great!! by zappepcs · · Score: 3, Funny

    The first time that I actually started to worry that FF might have a problem, and that I should be careful, it turns out to be a hoax. I don't know whether to be happy about this or not?

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:Great!! by __aaclcg7560 · · Score: 4, Funny

      Be happy. It could've been worst and happen on Internet Explorer instead.

  2. It's all fun and games until someone gets hurt by davidwr · · Score: 2, Insightful

    Or until someone wastes time taking you seriously.

    Yelling "bomb" in an airport isn't funny. Neither is this.

    Next time, make it painfully obvious you are joking so people don't waste valuable time.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:It's all fun and games until someone gets hurt by Anonymous Coward · · Score: 5, Interesting

      It was painfully obvious to anyone at the presentation that the whole thing was a joke. It was the best presentation I saw at Toorcon just for the hilarity factor. If they were talking at any other convention I'd go see them again.

      Most of the press got the joke, laughed, and ignored it. It was some tool at CNET's fault for compromising his journalistic integrity and reporting satire as fact that caused the problem.

    2. Re:It's all fun and games until someone gets hurt by Kelson · · Score: 4, Insightful

      The way this went down reminds me of an event from high school. Now, to put this in perspective, it was probably 1993, so about 5 years before Columbine.

      There was a drama festival that our school attended each year, held at a nearby college. One year, one of our scenes involved prop guns. One of my classmates took one of the fake guns up onto a balcony, stood on the railing, and pretended he was going to shoot himself. Big surprise, campus security showed up, assuming he had a real gun and was really going to blow his brains out. The next year, the festival banned prop weapons. IIRC if you had a scene that needed them, you could sign up to use *their* props, which would be provided for the particular scene.

      Had he done the same thing on stage, introduced as a monologue he had written, with people aware the gun was a prop, no one would have freaked out.

      Back to the Firefox panel, I don't know how clearly this presentation was labeled as humor. But all it takes is someone who doesn't have the full context to take it seriously -- and security people have to take threats seriously, at least long enough to investigate and find out that the gun is just a prop.

  3. ...crash and eat up system resources... by RHIC · · Score: 5, Funny

    No change there then.

  4. Never believe anything without a second source by Opportunist · · Score: 3, Insightful

    And, this should noted, this should NOT be limited to security exploits and hoaxes. It's twice as true for news that really matter. Too many people want to believe what they hear as long as it fits their personal point of view, without even questioning whether something is true or not.

    As long as it fits into their view of the world, it becomes true for them and they perpetuate the lie.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Never believe anything without a second source by gEvil+(beta) · · Score: 5, Funny

      Never believe anything without a second source

      Anyone want to reiterate what he said so we can know that we should believe him?

      --
      This guy's the limit!
    2. Re:Never believe anything without a second source by chroot_james · · Score: 4, Funny

      I'll back him up. Kind of. I propose requiring a third source. Anyone want to reiterate?

      --
      Reality is nothing but a collective hunch.
    3. Re:Never believe anything without a second source by Billosaur · · Score: 2, Insightful

      Does that include the article saying it was a hoax? What are we to believe?!?!?

      --
      GetOuttaMySpace - The Anti-Social Network
    4. Re:Never believe anything without a second source by Senzei · · Score: 3, Funny
      I disagree. Now you still have to find a 3rd source to agree with you and 3 sources to discredit me. And of course I just got off work so I have all day long to disagree with those who disagree with me in the first place. Better put on a cup of coffee. :-)
      Actually, I think you owe us two more sources to confirm your disagreement. Well, I would think that, but we haven't found three sources to conclusively prove that three sources are needed to conclusively prove something.
      --
      Slashdot: Where anecdotes and generalizations can be freely substituted for facts, logic, or intelligence
  5. Microsoft link? by masklinn · · Score: 4, Interesting

    This is to be taken with a grain of salt and not as a proof of anything until further inquiries, but since it's going to be posted anyway it may as well be posted with some warnings:

    A blog called Geemondo also reports that Mischa Spiegelmock seemed to have had dinner with Microsoft guys.

    (PS: mods, if you want this post to be seen without me karma whoring, just mod it funny)

    --
    "The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
  6. Not a funny joke by loconet · · Score: 4, Informative

    There is also a post about this on the Washington Post. Apparently, they were just having fun?

    If I was Alistapart, I would have gotten rid of this "clown" immediately.

    --
    [alk]
    1. Re:Not a funny joke by tsu+doh+nimh · · Score: 2, Interesting

      I think the most interesting part from the Post piece on this is this last line, about LiveJournal's Mischa Spiegelmock, who co-presented this Firefox malarky.

      "The Toorcon talk was given by Mischa Spiegelmock a software engineer for Six Apart's LiveJournal blogging service, and a guy speaking under the pseudonym "Andrew Wbeelsoi."

      Also, Wbeelsoi, or "Weev" as he is called by friends, is part of a group that calls itself "Bantown," a loose-knit outfit that claimed responsibility for a fairly high-profile Javascript attack against close to a million LiveJournal users, an attack that Security Fix profiled in January."

      --
      ...because you never know who you're dealing with.
  7. Re:Moo by masklinn · · Score: 5, Interesting

    Anyone who releases it on their own is sued for copyright violations.

    Actually not, it's trademark violation, and it's only if you release it under the name of "firefox". Call me the day when I can fork Internet Explorer and release my patched version as "Intarweb Implorer" without getting sued though.

    --
    "The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
  8. Moo by Chacham · · Score: 5, Funny

    FireFox has no exploits. All exploits are actually in IceWeasel, to avoid legal action from Mozilla.

    In other news, Microsoft has said thet their version of Genuine Internet Explorer has no bugs, and any bugs, must be due to a bad download, or user tampering. As such, all user installs of Internet Explorer will be renamed to "Meshed-Screen Interpolated E-reader" (MSIE for short), and will subsequently be subject to licensing fees.

    --
    Have you read my journal today?
  9. I don't think it was a "joke". by khasim · · Score: 3, Insightful

    I think that these two were looking for a little fame ... and did not realize how the professionals would react to their claims.

    Once they realized that the professionals (who are better programmers than they) were looking into their claims, they fell back on the "it's a joke" claim.

  10. GMail and JavaScript by Kadin2048 · · Score: 2, Interesting

    You obviously don't use GMail,

    You can use GMail just fine without JavaScript. It complains and writes you a message at the bottom of every page saying something like 'To take full advantage of Gmail, use a supported browser...'

    It does however still work just fine without it.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  11. he hasn't gotten it to do so? by Lord+Ender · · Score: 3, Insightful

    It takes a very rare and specific skill set to write a memory corruption exploit. The fact that one person was unable to go from overflow to arbitrary code execution proves absolutely nothing about whether doing so is possible.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:he hasn't gotten it to do so? by AlgorithMan · · Score: 3, Informative
      The fact that one person was unable to go from overflow to arbitrary code execution

      of course big, complex programs (like a JavaScript VM) have errors, if you want proof, you have to make a hoare calculus http://en.wikipedia.org/wiki/Hoare_logic for the source code and beleive me, this is really really much work! - - - but this alleged error seems to be nothing but posing...
      --
      The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
  12. Then it wasn't painfully obvious enough by davidwr · · Score: 5, Funny

    If the CNET folks didn't get it, the panel should've made sure they did.

    Any prank like this NOT done on 1 April needs to end with "and for those of you who left your sense of humor at home, the preceeding presentation was 100% pure entertainment and any resemblance to reality was purely to tweak your nose. Please stay for the next panel on novel approaches to perpetual motion. Thank you."

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. Re:NoScript by gorre · · Score: 2, Informative
    You obviously don't use GMail, Google Calendar, and the like.
    With NoScript one can designate sites that are allowed to run javascript, it's just that it is disabled by default. I use NoScript and have simply whitelisted google.com and any other trusted sites that require javascript.
    --
    "Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
  14. Re:NoScript by TheRaven64 · · Score: 4, Funny
    But...

    But...

    Web 2.0!

    *splutter*

    --
    I am TheRaven on Soylent News
  15. Re:Sorry, that one's not a hoax by Ja'Achan · · Score: 2, Interesting

    http://www.mozilla.org/projects/seamonkey/Seamonke y is currently using 351 MB of memory, according to Windows Taskmanager. That's after 5 days of uptime, and no exception. I know, it's not Firefox, but I suppose there is a large code base shared.

  16. Re:Not surprised. by Jugalator · · Score: 2, Funny

    I bet you have few friends. :-(

    --
    Beware: In C++, your friends can see your privates!
  17. Re:Let's be honest.. Score -1: Flamebait by Tim+C · · Score: 2, Interesting

    These days, "0day exploit" seems to have changed to mean "an exploit for which there is currently no fix". Not quite the same...

    [Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.

    It's been 4 minutes since you last successfully posted a comment.]

    --
    It's official. Most of you are morons.
  18. Trust but verify by ursabear · · Score: 2, Insightful

    I'm with some of the folks here about secondary verification.

    Something deep inside me gives a knee jerk any time a developer or product engineer starts any sentence with "I have not succeeded in making this code do..." or "I cannot reproduce..." (no pun intended).

    I think Firefox is pretty good. So far (since the first public betas), I get very few issues at runtime (besides the occasional spin-forever cursor when Firefox encounters a site with some really bad browser-side code.)

    --
    A Passionate Independent Musician
  19. Translation: We, the wannabe script-kiddies... by CharonX · · Score: 2, Insightful

    Well seems like my notion was right after all.
    They are nothing but sad wannabes, scriptkiddies who wanted to pose as l33t haX0rZ. Well, heads up guys, this will have been your last convention for quite some time because somehow quite unexpectedly (for you) most of the community didn't go "we really got punked!!! LOLOLOLOLOL! you win teh internets!" Bottom line. Don't be an asshole, or you will pay for it.

    --
    +++ MELON MELON MELON +++ Out of Cheese Error +++ redo from start +++
  20. Re:What's in a name by kayditty · · Score: 2, Funny

    there's no apostrophe in A. Wbeelsoi.

  21. Follow that link at your own risk by emurphy42 · · Score: 2, Informative

    It leads to a piece of JavaScript - either an attempted proof of concept, or just an annoying fork bomb - I didn't bother to work out which, but either way, I recommend sticking with "Save As" or wget or what have you.

  22. He should be fired, prosecuted by hyrdra · · Score: 4, Insightful

    Everyone here should read this article:
    http://blog.washingtonpost.com/securityfix/2006/10 /zeroday_firefox_exploit_claime.html

    It actually turns out that Mischa Spiegelmock and Andrew Wbeelsoi are closely related. As we all now know, Misa works for LiveJournal. Andrew Wbeelsoi is part of Bantown, who claimed responsibility for a Javascript attack on LiveJournal (see http://blog.washingtonpost.com/securityfix/2006/01 /account_hijackings_force_livej.html).

    The two are obviously related, and LiveJournal should consider immediate termination of their employee Mischa, as he is in league with Wbeelsoi, who attacked LiveJournal members themselves.

    Here as some nice quotes from the article:

    "We do have exploits for all the stuff we're going to show you," the 21-year-old calling himself Wbeelsoi said. "We'll give them away to anyone who proves their actions are going to be politically motivated. We don't care what side you're on as long as you commit yourself to destruction."
    "We were just trying to have some fun up there," Spiegelmock said.

    Mozilla should really consider civil, if not criminal actions. Damage to the Firefox brand has already been done, regardless if the exploit is real or not.

    --


    "I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
  23. Re::-/ That won't happen, Six Apart are pansies. by tlhIngan · · Score: 2, Interesting

    Mischa works for Six Apart _because_ Bantown "pwnzed" them two years back.

    Six Apart didn't try to fight them, instead they tempted them with guided tours and positions in the company.

    Utter idiocy.


    Actually, there's more than enough supposition to imply that SixApart's software is contaminated with trojans. Face it, you have someone who wants to claim they have a flaw, and they want to make a secret communications network. The best way to do it is to use sites like LiveJournal and people who use software like MovableType (both SixApart products) to distribute your exploit. What better way than to infect LiveJournal users and readers, and readers of sites using MovableType (and several other popular blogging software) to get them to be part of your network?

    Heck, because of this we can probably issue a statement saying that all of SixApart's products and services may be contaminated with trojan horses. Which may infect all browsers, due to claim by a representative of SixApart. (He may not be the official spokesperson, but since he was introduced as coming from SixApart, he is a representative of the company). And until proven otherwise, all their products and services should be considered suspect, maybe even blacklisted. It is a credible claim, and if this is a hoax, well, who's to say it is or it isn't? Maybe if they claim it's a hoax, their backdoor will stay open.