Article

Mozilla still looking into Firefox flaw claims

Dennis Fisher, Executive Editor

Despite claims by one of the researchers involved that the whole thing was a joke , security experts at Mozilla Corp. are continuing to investigate whether there is indeed a remotely-exploitable flaw

    Requires Free Membership to View

in the Firefox browser.

Window Snyder, Mozilla's security chief, said she and others at the company have been unable to reproduce the remote code execution that Mischa Spiegelmock and Andrew Wbeelsoi claimed recently was possible using a new flaw in Firefox's JavaScript implementation. However, she emphasized that Mozilla still is taking the issue very seriously and intends to continue looking into the vulnerability until it's clear that there's no merit to the claim.

More on Mozilla:
Remote Firefox JavaScript flaw claim disputed

Mozilla fixes several Firefox flaws

"It doesn't look like it's going to be a serious problem, but we're still investigating what can be done about it," Snyder said. "We're looking to see if there's anything to fix."

Mozilla has confirmed that there is a flaw in Firefox that can allow attackers to cause a denial-of-service condition by consuming a large amount of system resources. The problem, known as an "out-of-memory" condition, is not remotely exploitable and can not be used to run arbitrary code on target machines, as far as the Mozilla engineers can see at this point. The claims of code execution by Spiegelmock and Wbeelsoi, which they made at a security conference late last month, set off a mad scramble in the security community, as researchers and crackers pored over the pair's exploit code.

However, within a few hours of their presentation, Spiegelmock told Snyder that he had only been joking about the code execution potential in the flaw and also said he knew nothing about the 29 other Firefox vulnerabilities that Wbeelsoi claimed to have in reserve. Snyder said Mozilla is not concerned with those other flaws and added that despite the messy way it all played out, she is encouraged by the results of the investigation into the JavaScript vulnerability.

"I think it's a reflection of people doing the right thing and taking these reports seriously," said Snyder, who was instrumental in helping to establish Microsoft Corp.'s stance on responsible disclosure when she worked for the software giant. "A couple of individuals took advantage of that , and that's disappointing. But I'm happy that people are taking vulnerabilities seriously."

This article originally appeared on SearchSecurity.com.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: