By Joris Evers, 2 October 2006 08:45
NEWS
The open source Firefox web browser is critically flawed in the way it handles JavaScript, two hackers said on Saturday afternoon.
An attacker could commandeer a computer running the browser simply by crafting a web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference in San Diego. The flaw affects Firefox on Windows, Apple's Mac OS X and Linux, they said.
The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess", he said, adding: "It is impossible to patch."
The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation on Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk but that seems to be their goal."
At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said.
The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, however.
Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty programme instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.
Ruderman said: "I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets."
The two hackers laughed off the comment. Wbeelsoi said: "It is a double-edged sword but what we're doing is really for the greater good of the internet, we're setting up communication networks for black hats."
Joris Evers writes for CNET News.com
Comments
There are 4 comments. Join the discussion
1. anonymous
Well I'm not a security pro, but forgive me if 'communication networks for black hats' doesn't sound like something for the greater good of the internet. Incidentally, it's worth mentioning that Firefox seems to be less reliable than IE ever was on my laptop.
2. Felix Goodman
After years of dealing with IE flaws and it's characteristic 'lifeline' dependent upon the version, (much like Windows, enjoy Vista :P), I will stand by Firefox no matter what some jerk with too much time on their hands thinks they can do. Firefox stands apart from the MS hegemony by opening it's development to it's users, and perhaps due to this, it has been nothing but clean and reliable since I began using it. I'm glad they've made it this far, and I think they deserve some respect.
3. anonymous
All Firefox users should simply download an extension called NoScript from https://addons.mozilla.org/firefox/722/
This disables javascript by default on all sites. While this might effect the look and feel of most sites, they will remain largely functional.
Any trusted sites can be temporarily or permanently enabled to use Java, using a simple click on the NoScript icon.
In using this you will find many sites that use java but still work just fine without it enabled, which makes you wonder just what that java was doing if it's not integral to the site's functioning.
4. John
Oh please! Causing a stack overflow in is trivial in any browser. I think you're taking this entire episode out of context.