Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×

Firefox Zero-Day Code Execution Hoax? 215

Posted by kdawson from the shouting-fire-in-a-crowded-fox dept.
Akon writes, "eWeek is running a follow-up story on the claim by two hackers that Firefox's implementation of JavaScript is critically flawed and could result in code-execution attacks. Turns out this is a possible hoax that was overblown for laughs." Mozilla's engineers say the risk is limited to a denial-of-service issue. From the article: "'As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code,' Spiegelmock said." Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.
This discussion has been archived. No new comments can be posted.

Firefox Zero-Day Code Execution Hoax? More

Firefox Zero-Day Code Execution Hoax?

Comments Filter:

  • It's all fun and games until someone gets hurt (Score:2, Insightful)

    by davidwr ( 791652 ) on Tuesday October 03, 2006 @02:09PM (#16294755) Homepage Journal
    Or until someone wastes time taking you seriously.

    Yelling "bomb" in an airport isn't funny. Neither is this.

    Next time, make it painfully obvious you are joking so people don't waste valuable time.

  • Never believe anything without a second source (Score:4, Insightful)

    by Opportunist ( 166417 ) on Tuesday October 03, 2006 @02:09PM (#16294765)
    And, this should noted, this should NOT be limited to security exploits and hoaxes. It's twice as true for news that really matter. Too many people want to believe what they hear as long as it fits their personal point of view, without even questioning whether something is true or not.

    As long as it fits into their view of the world, it becomes true for them and they perpetuate the lie.

  • What a shock (Score:1, Insightful)

    by Anonymous Coward on Tuesday October 03, 2006 @02:17PM (#16294895)
    The skillless losers from Bantown whose purpose in life is to stir up pointless drama don't actually have any real exploits? Surprising.

  • I don't think it was a "joke". (Score:4, Insightful)

    by khasim ( 1285 ) <brandioch.conner@gmail.com> on Tuesday October 03, 2006 @02:24PM (#16295007)
    I think that these two were looking for a little fame ... and did not realize how the professionals would react to their claims.

    Once they realized that the professionals (who are better programmers than they) were looking into their claims, they fell back on the "it's a joke" claim.

  • he hasn't gotten it to do so? (Score:4, Insightful)

    by Lord Ender ( 156273 ) on Tuesday October 03, 2006 @02:28PM (#16295055) Homepage
    It takes a very rare and specific skill set to write a memory corruption exploit. The fact that one person was unable to go from overflow to arbitrary code execution proves absolutely nothing about whether doing so is possible.

  • Does that include the article saying it was a hoax? What are we to believe?!?!?

  • Re:It's all fun and games until someone gets hurt (Score:5, Insightful)

    by Kelson ( 129150 ) * on Tuesday October 03, 2006 @02:58PM (#16295501) Homepage Journal
    The way this went down reminds me of an event from high school. Now, to put this in perspective, it was probably 1993, so about 5 years before Columbine.

    There was a drama festival that our school attended each year, held at a nearby college. One year, one of our scenes involved prop guns. One of my classmates took one of the fake guns up onto a balcony, stood on the railing, and pretended he was going to shoot himself. Big surprise, campus security showed up, assuming he had a real gun and was really going to blow his brains out. The next year, the festival banned prop weapons. IIRC if you had a scene that needed them, you could sign up to use *their* props, which would be provided for the particular scene.

    Had he done the same thing on stage, introduced as a monologue he had written, with people aware the gun was a prop, no one would have freaked out.

    Back to the Firefox panel, I don't know how clearly this presentation was labeled as humor. But all it takes is someone who doesn't have the full context to take it seriously -- and security people have to take threats seriously, at least long enough to investigate and find out that the gun is just a prop.

  • Re:Copy and Paste is not a Hoax (Score:1, Insightful)

    by Anonymous Coward on Tuesday October 03, 2006 @03:09PM (#16295687)
    I recommend looking at this as a start:

    http://forums.mozillazine.org/viewtopic.php?t=4051 51 [mozillazine.org]

    There seems to be 2 bugs related to copy and paste.

  • Trust but verify (Score:3, Insightful)

    by ursabear ( 818651 ) on Tuesday October 03, 2006 @04:07PM (#16296799) Homepage Journal
    I'm with some of the folks here about secondary verification.

    Something deep inside me gives a knee jerk any time a developer or product engineer starts any sentence with "I have not succeeded in making this code do..." or "I cannot reproduce..." (no pun intended).

    I think Firefox is pretty good. So far (since the first public betas), I get very few issues at runtime (besides the occasional spin-forever cursor when Firefox encounters a site with some really bad browser-side code.)

  • Translation: We, the wannabe script-kiddies... (Score:3, Insightful)

    by CharonX ( 522492 ) on Tuesday October 03, 2006 @04:20PM (#16296979) Journal
    Well seems like my notion was right after all.
    They are nothing but sad wannabes, scriptkiddies who wanted to pose as l33t haX0rZ. Well, heads up guys, this will have been your last convention for quite some time because somehow quite unexpectedly (for you) most of the community didn't go "we really got punked!!! LOLOLOLOLOL! you win teh internets!" Bottom line. Don't be an asshole, or you will pay for it.

  • He should be fired, prosecuted (Score:5, Insightful)

    by hyrdra ( 260687 ) on Tuesday October 03, 2006 @05:50PM (#16298213) Homepage Journal
    Everyone here should read this article:
    http://blog.washingtonpost.com/securityfix/2006/10 /zeroday_firefox_exploit_claime.html [washingtonpost.com]

    It actually turns out that Mischa Spiegelmock and Andrew Wbeelsoi are closely related. As we all now know, Misa works for LiveJournal. Andrew Wbeelsoi is part of Bantown, who claimed responsibility for a Javascript attack on LiveJournal (see http://blog.washingtonpost.com/securityfix/2006/01 /account_hijackings_force_livej.html [washingtonpost.com]).

    The two are obviously related, and LiveJournal should consider immediate termination of their employee Mischa, as he is in league with Wbeelsoi, who attacked LiveJournal members themselves.

    Here as some nice quotes from the article:

    "We do have exploits for all the stuff we're going to show you," the 21-year-old calling himself Wbeelsoi said. "We'll give them away to anyone who proves their actions are going to be politically motivated. We don't care what side you're on as long as you commit yourself to destruction."
    "We were just trying to have some fun up there," Spiegelmock said.

    Mozilla should really consider civil, if not criminal actions. Damage to the Firefox brand has already been done, regardless if the exploit is real or not.

Slashdot Top Deals

Serving coffee on aircraft causes turbulence.

Close