Network News

X My Profile
View More Activity

The Truth About a Claimed Firefox Exploit

A colorful duo of young hackers at the Toorcon security conference presented evidence Saturday that suggested a previously undocumented flaw in Mozilla's Firefox Web browser is actively being exploited to compromise machines of users cruising the Web with the browser. This story has been pretty widely reported over the past few days, but a few key facts have been absent from most of the coverage I've seen, and I wanted to try to help set the record straight on this.

The Toorcon talk was given by Mischa Spiegelmock a software engineer for Six Apart's LiveJournal blogging service, and a guy speaking under the pseudonym "Andrew Wbeelsoi." They prefaced their presentation by calling on security researchers everywhere to stop publicizing and fixing software security vulnerabilities.

"We do have exploits for all the stuff we're going to show you," the 21-year-old calling himself Wbeelsoi said. "We'll give them away to anyone who proves their actions are going to be politically motivated. We don't care what side you're on as long as you commit yourself to destruction."

Both speakers lectured at length about ways to cloak your identity online to engage in criminal activities, ranging from creating botnets to installing spyware on users' machines. They ardently urged those in attendance to use their knowledge to "ruin things" as much as possible for Internet users.

One way to accomplish that goal, the two claimed, was to exploit a vulnerability in the way Firefox handles Javascript that they said could allow malicious Web sites to install spyware if users merely browsed a specially configured Web site that took advantage of the flaw in the way that they described.

Here are the parts I haven't seen reported yet elsewhere on this:

Spiegelmock admitted to me Saturday evening that the duo's research wasn't quite as solid as they led people to believe. Turns out, they confirmed that the bug they found could be used to crash Firefox, but that they hadn't bothered to do the work to tell whether that crash could be exploited to allow bad guys to install software. "We were just trying to have some fun up there," Spiegelmock said.

Window Snyder, head of security strategy for Mozilla stood next to me as Spiegelmock explained; she was not amused. Spiegelmock gave Mozilla a statement confirming more or less what he told Window and me Saturday evening, which Mozilla has since posted on its site.

Also, Wbeelsoi, or "Weev" as he is called by friends, is part of a group that calls itself "Bantown," a loose-knit outfit that claimed responsibility for a fairly high-profile Javascript attack against close to a million LiveJournal users, an attack that Security Fix profiled in January.

By Brian Krebs  |  October 3, 2006; 12:35 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Warns of Attacks on Unpatched Windows, IE and Office Flaws
Next: Got Phish? Drop 'Em in the 'Phishtank'

No comments have been posted to this entry.

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company