At the ToorCon hacker convention in San Diego SixApart employee Mischa Spiegelmock recently called Firefox's security "a complete mess" and "impossible to patch".Spiegelmock and fellow presenter Andrew Wbeelsoi pointed to Firefox's implementation of JavaScript support and made light of the ease with which one could generate stack overflows in the Firefox JS engine, potentially allowing for remote code-execution on the target machine. Window Snyder, the Mozilla Organization's security chief, took the claims seriously and said "We're going to do some investigating." She also expressed some displeasure, which I would agree with, related to the fact that Spiegelmock and Wbeelsoi may have revealed enough information during their presentation as to put current Firefox users at risk. Following the initial reaction, Spiegelmock proceeded to officially register the vulnerability and Mozilla Org has been taking it seriously. What has emerged in the last few hours is a statement from Mischa, specifically indicating that their code sample would not result in anything other than a browser crash. To quote him, "As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has. I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else’s computer and execute arbitrary code." Mozilla Org must be pleased with this info, but according to Madame Snyder, continues to take the vulnerability seriously and investigate the root cause. As for us, well it has been exciting, if perhaps a touch melodramatic, while it lasted. For now we'll slip back into our warm and sleepy trust of Firefox security and hope that the episode might serve to encourage rather less sensational 2007 ToorCon presentations.
About the Author
Brice Dunwoodie is the founder and CEO of Simpler Media Group, publisher of CMSWire, Reworked and VKTR. With more than 25 years of enterprise software experience at the intersection of technology, business operations and executive-level strategy, Brice maintains a focus on clarity, evidence-based analysis, visionary thinking and practitioner relevance. His academic background spans California Polytechnic University and the University of Michigan with a focus on psychology, computer science and leadership practices. Connect with Brice Dunwoodie:
