The Truth About a Claimed Firefox Exploit
A colorful duo of young hackers at the Toorcon security conference presented evidence Saturday that suggested a previously undocumented flaw in Mozilla's Firefox Web browser is actively being exploited to compromise machines of users cruising the Web with the browser. This story has been pretty widely reported over the past few days, but a few key facts have been absent from most of the coverage I've seen, and I wanted to try to help set the record straight on this.
The Toorcon talk was given by Mischa Spiegelmock a software engineer for Six Apart's LiveJournal blogging service, and a guy speaking under the pseudonym "Andrew Wbeelsoi." They prefaced their presentation by calling on security researchers everywhere to stop publicizing and fixing software security vulnerabilities.
"We do have exploits for all the stuff we're going to show you," the 21-year-old calling himself Wbeelsoi said. "We'll give them away to anyone who proves their actions are going to be politically motivated. We don't care what side you're on as long as you commit yourself to destruction."
Both speakers lectured at length about ways to cloak your identity online to engage in criminal activities, ranging from creating botnets to installing spyware on users' machines. They ardently urged those in attendance to use their knowledge to "ruin things" as much as possible for Internet users.
Here are the parts I haven't seen reported yet elsewhere on this:
Spiegelmock admitted to me Saturday evening that the duo's research wasn't quite as solid as they led people to believe. Turns out, they confirmed that the bug they found could be used to crash Firefox, but that they hadn't bothered to do the work to tell whether that crash could be exploited to allow bad guys to install software. "We were just trying to have some fun up there," Spiegelmock said.
Window Snyder, head of security strategy for Mozilla stood next to me as Spiegelmock explained; she was not amused. Spiegelmock gave Mozilla a statement confirming more or less what he told Window and me Saturday evening, which Mozilla has since posted on its site.
October 3, 2006; 12:35 PM ET
Categories: Latest Warnings
Save & Share: Previous: Microsoft Warns of Attacks on Unpatched Windows, IE and Office Flaws
Next: Got Phish? Drop 'Em in the 'Phishtank'
The comments to this entry are closed.