Firefox Security
At the ToorCon hacker convention in San Diego SixApart employee Mischa Spiegelmock recently called Firefox's security "a complete mess" and "impossible to patch".Spiegelmock and fellow presenter Andrew Wbeelsoi pointed to Firefox's implementation of JavaScript support and made light of the ease with which one could generate stack overflows in the Firefox JS engine, potentially allowing for remote code-execution on the target machine. Window Snyder, the Mozilla Organization's security chief, took the claims seriously and said "We're going to do some investigating." She also expressed some displeasure, which I would agree with, related to the fact that Spiegelmock and Wbeelsoi may have revealed enough information during their presentation as to put current Firefox users at risk. Following the initial reaction, Spiegelmock proceeded to officially register the vulnerability and Mozilla Org has been taking it seriously. What has emerged in the last few hours is a statement from Mischa, specifically indicating that their code sample would not result in anything other than a browser crash. To quote him, "As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has. I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else’s computer and execute arbitrary code." Mozilla Org must be pleased with this info, but according to Madame Snyder, continues to take the vulnerability seriously and investigate the root cause. As for us, well it has been exciting, if perhaps a touch melodramatic, while it lasted. For now we'll slip back into our warm and sleepy trust of Firefox security and hope that the episode might serve to encourage rather less sensational 2007 ToorCon presentations.