Comments on: Hacker backpedals on Firefox zero-day claim

Researcher who claimed to have found a serious bug now says he was never able to use it to hijack computers.

Cent, why do you keep calling this a zero-day exploot?

Zero-day exploits are ones that are discovered on the day the software is made available*. From what I've read about this supposed exploit is of FF's javascript implementation that's been in the browser for quite some time, so this hardly qualified as zero-day. Am I missing something?

*source: http://en.wikipedia.org/wiki/Zero-day

[unknown unknown]

RE

From the Wikipedia article you linked to:
"Zero-Day exploits are released before, or on the same day the vulnerability ? and, sometimes, the vendor patch ? are released to the public. The term derives from the number of days between the public advisory and the release of the exploit."

So it's not one when the software was released. I think the part you confused on was the first paragraph

"Zero day or 0day refers to software, videos, music, or information unlawfully released or obtained on the day of public release. Items obtained pre-release are sometimes labeled Negative day or -day. Zero-day software, videos, and music usually have been either illegally obtained or illegally copied."

Which uses Zero day in a different context from the one it's being used in this article.

[JorisEvers]

Continue to read Wikipedia and...

you will see that the term zero-day also means:

"Zero-Day exploits are released before, or on the same day the vulnerability ? and, sometimes, the vendor patch ? are released to the public."

In this case, the supposed exploit code was released before a vendor patch, hence the term zero-day.

Joris
CNET News.com

[Sboston]

15 minutes....

And your time is up!

What a waste of time.

[Trane Francks]

Waste of Time

You know it! I'm still rather irritated about it. Since Six Apart owns LiveJournal and I blog at that site, I'd canceled my paid subscription renewal and then, upon hearing that it was all a ha-ha-ha practical joke, had to go re-enable it.

Monumental. Waste. Of. Time.

[lkrupp]

"Security researchers" "Hackers" cannot be trusted

It's looking more and more like these so-called experts and
hackers are nothing more than publicity seekers who cannot be
trusted. They're almost as bad as the truly malicious criminal
hackers and scammers and in someways go out of their way to be
helpful to the bad guys.

[CancerMan2]

Ha, Probably MS Opertatives

Ha, these two hackers are probably Microsoft hacks hired to discredit non-MS products. Look at how fast poeople jumped all over Firefox security and praised Internet Explorer. It's time to pre-text these hackers' phone records to look for calls to Redmond. Maybe HP can help with the investigation.

[heystoopid]

Questions Questions?

Many questions in this affair remain either unanswered or very vague answers were supplied!

But for now , the conspiracy theorists have been given enough little tidbits, to starting pointing the bone with a vengence!

Oh well, the witch hunt has now only just begun!

That dragon breath of flame of blame, will now be ramped up to next level of the extreme heat of the sun's core, and those that cried wolf will become instant charcoal!

[Marcus Westrup]

OR,

Maybe the exploit is real, and this guy wants to avoid being sued for conducting ?unethical hacking?. Computer crime laws are none too clear on the matter.

[qwerty75]

sheesh

Talk about clutching at straws.

Anyone can get the source. SO if a flaw was found there is nothing mozilla can do about it.

Just like when flaws are found in windows, publishing details before hand, while frowned on, can't be stopped by MS.

If the exploit was real, then it would have been confirmed by a thrid party, if not mozilla.

[Lindy01]

Punks

nothing but greasy long haired punks. Flogg them. He should be fired from that company he works for or all of their customers should go somewhere else for their blog buisness.

[amadensor]

The real reason for the exploit news

The exploit, which was not an exploit at all, but instead a DoS (still bad but not as headline grabbing) was announced at the Saturday night party. Look for yourself who sponsored that particular event...

http://www.toorcon.org/2006/conference.html

[kamchoor]

Exploit is there

If the hackers were asked to present, then they must have much clout within the Firefox/security community.

Looks like the exploits are there but the hackers were told to take back their comment to stop the panic.

Why not find out the issues and fix them instead of hiding them?

[qwerty75]

lol

You are describing MS not mozilla.

If there was exploitable code it would have been found, if not by mozilla, then by 3rd parties pouring over the source code.

[qwerty75]

What about the hapless MS fans?

They thought they finally found a reason to keep using the constantly and easily hack IE, and were clutching hard to this hoax.

Can't someone think about all the retards this is hurting?

LOL

[chris_d]

exactly...

Think of the fanboys! This will have them so depressed.

[wbenton]

My only qualm is...

This was purported as a Zero-Day threat when in fact it's not really a threat at all.

An unexpoitable exploit is not an exploit... it's an attempt at exploitation.

Since when have attempts at exploitation been labelled Zero-Day Flaws or Zero-Day attacks when such attacks are not even possible?

Thus in the future I recommend that CNET have the proclaiming hackers to show CNET their exploit and confirm that it is in fact an exploit prior to bringing the story to print as an exploit.

Walt