October 3, 2006 1:59 PM PDT

Hacker backpedals on Firefox zero-day claim

A hacker who claimed to have found a serious zero-day bug in Firefox now says he was never able to exploit the supposed vulnerability to hijack computers.

On Saturday, Mischa Spiegelmock and Andrew Wbeelsoi told attendees at the ToorCon event in San Diego that Firefox is critically flawed in the way it handles JavaScript. An attacker could commandeer a computer running the open-source Web browser simply by crafting a Web page that contains some malicious JavaScript code, they said. They displayed some of that code.

Hackers' presentation

But Spiegelmock has now backpedaled on those claims. In a statement provided to Mozilla, which coordinates development of Firefox, Spiegelmock said that the computer code displayed during the presentation does not fully compromise a PC running the browser.

"I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code," he wrote in the statement, which was posted on Mozilla's Web site on Monday.

"The main purpose of our talk was to be humorous," Spiegelmock wrote. "I apologize to everyone involved, and I hope I have made everything as clear as possible."

He pinned the claim that the hackers know of 30 yet-to-be-fixed flaws in Firefox entirely on his co-presenter, Wbeelsoi. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not," Spiegelmock wrote. Wbeelsoi could not immediately be reached for comment.

Click here to Play

Video: Hackers claim Firefox zero-day flaw
Is the browser more vulnerable than thought?

Click here to Play

Video: Hackers vs. Firefox
Mozilla antsy about expolited Firefox flaws.

The presentation at ToorCon caused a stir among Firefox developers. People worked through the weekend to investigate the issue, Window Snyder, Mozilla's security chief, said on Tuesday. Mozilla's bug-tracking Web site shows some evidence of that.

"At this point, Mischa is cooperating with us, and we're pleased that he has decided to work with us, but we're disappointed that so many people were spun up about this," she said. "It is an expensive operation in terms of resources and the individuals who lost time with their families over the weekend."

Based on the information Spiegelmock provided to Mozilla, the issue presented at ToorCon could still be a serious flaw, but so far, it looks like an innocuous crash, Snyder said. "We've got a potential issue, but at this point it is essentially a reliability issue. We have not been able to demonstrate code execution," she said.

In his statement, Spiegelmock wrote that the presentation included "a previously known Firefox vulnerability." Snyder, however, said that the potential issue is similar to an old bug, but is different.

"What they presented was a potential vulnerability," Snyder said. "Whenever you see a crash you want to investigate it completely, to evaluate whether or not there is any security impact. We have not exhausted all the options, so we're going to work on it...The right thing for Firefox users is to take it seriously and not dismiss anything."

Another security expert said the issue is nothing more than something that would cause Firefox to crash. "The test case from their slides is merely an out-of-memory crash bug and not a vulnerability," bug hunter Tom Ferris said. "Apparently, these guys just wanted to troll the media and the people at ToorCon."

Snyder couldn't say whether Mozilla would issue a patch to fix the reliability issue and potential vulnerability, or address it in a future release of the browser. "I can't say at this point, it requires further investigation," she said.

See more CNET content tagged:
Mischa Spiegelmock, Andrew Wbeelsoi, hacker, Firefox, crash

19 comments

Join the conversation!
Add your comment
Cent, why do you keep calling this a zero-day exploot?
Zero-day exploits are ones that are discovered on the day the software is made available*. From what I've read about this supposed exploit is of FF's javascript implementation that's been in the browser for quite some time, so this hardly qualified as zero-day. Am I missing something?

*source: <a class="jive-link-external" href="http://en.wikipedia.org/wiki/Zero-day" target="_newWindow">http://en.wikipedia.org/wiki/Zero-day</a>
Posted by (34 comments )
Reply Link Flag
RE
From the Wikipedia article you linked to:
"Zero-Day exploits are released before, or on the same day the vulnerability  and, sometimes, the vendor patch  are released to the public. The term derives from the number of days between the public advisory and the release of the exploit."

So it's not one when the software was released. I think the part you confused on was the first paragraph

"Zero day or 0day refers to software, videos, music, or information unlawfully released or obtained on the day of public release. Items obtained pre-release are sometimes labeled Negative day or -day. Zero-day software, videos, and music usually have been either illegally obtained or illegally copied."

Which uses Zero day in a different context from the one it's being used in this article.
Posted by unknown unknown (1951 comments )
Link Flag
Continue to read Wikipedia and...
you will see that the term zero-day also means:

"Zero-Day exploits are released before, or on the same day the vulnerability  and, sometimes, the vendor patch  are released to the public."

In this case, the supposed exploit code was released before a vendor patch, hence the term zero-day.

Joris
CNET News.com
Posted by JorisEvers (48 comments )
Link Flag
15 minutes....
And your time is up!

What a waste of time.
Posted by Sboston (498 comments )
Reply Link Flag
Waste of Time
You know it! I'm still rather irritated about it. Since Six Apart owns LiveJournal and I blog at that site, I'd canceled my paid subscription renewal and then, upon hearing that it was all a ha-ha-ha practical joke, had to go re-enable it.

Monumental. Waste. Of. Time.
Posted by Trane Francks (936 comments )
Link Flag
"Security researchers" "Hackers" cannot be trusted
It's looking more and more like these so-called experts and
hackers are nothing more than publicity seekers who cannot be
trusted. They're almost as bad as the truly malicious criminal
hackers and scammers and in someways go out of their way to be
helpful to the bad guys.
Posted by lkrupp (1608 comments )
Reply Link Flag
Ha, Probably MS Opertatives
Ha, these two hackers are probably Microsoft hacks hired to discredit non-MS products. Look at how fast poeople jumped all over Firefox security and praised Internet Explorer. It's time to pre-text these hackers' phone records to look for calls to Redmond. Maybe HP can help with the investigation.
Posted by CancerMan2 (74 comments )
Reply Link Flag
Questions Questions?
Many questions in this affair remain either unanswered or very vague answers were supplied!

But for now , the conspiracy theorists have been given enough little tidbits, to starting pointing the bone with a vengence!

Oh well, the witch hunt has now only just begun!

That dragon breath of flame of blame, will now be ramped up to next level of the extreme heat of the sun's core, and those that cried wolf will become instant charcoal!
Posted by heystoopid (691 comments )
Reply Link Flag
OR,
Maybe the exploit is real, and this guy wants to avoid being sued for conducting unethical hacking. Computer crime laws are none too clear on the matter.
Posted by Marcus Westrup (630 comments )
Reply Link Flag
sheesh
Talk about clutching at straws.

Anyone can get the source. SO if a flaw was found there is nothing mozilla can do about it.

Just like when flaws are found in windows, publishing details before hand, while frowned on, can't be stopped by MS.

If the exploit was real, then it would have been confirmed by a thrid party, if not mozilla.
Posted by qwerty75 (1164 comments )
Link Flag
Punks
nothing but greasy long haired punks. Flogg them. He should be fired from that company he works for or all of their customers should go somewhere else for their blog buisness.
Posted by Lindy01 (443 comments )
Reply Link Flag
The real reason for the exploit news
The exploit, which was not an exploit at all, but instead a DoS (still bad but not as headline grabbing) was announced at the Saturday night party. Look for yourself who sponsored that particular event...

<a class="jive-link-external" href="http://www.toorcon.org/2006/conference.html" target="_newWindow">http://www.toorcon.org/2006/conference.html</a>
Posted by amadensor (248 comments )
Reply Link Flag
Exploit is there
If the hackers were asked to present, then they must have much clout within the Firefox/security community.

Looks like the exploits are there but the hackers were told to take back their comment to stop the panic.

Why not find out the issues and fix them instead of hiding them?
Posted by kamchoor (42 comments )
Reply Link Flag
lol
You are describing MS not mozilla.

If there was exploitable code it would have been found, if not by mozilla, then by 3rd parties pouring over the source code.
Posted by qwerty75 (1164 comments )
Link Flag
What about the hapless MS fans?
They thought they finally found a reason to keep using the constantly and easily hack IE, and were clutching hard to this hoax.

Can't someone think about all the retards this is hurting?

LOL
Posted by qwerty75 (1164 comments )
Reply Link Flag
exactly...
Think of the fanboys! This will have them so depressed.
Posted by chris_d (195 comments )
Link Flag
My only qualm is...
This was purported as a Zero-Day threat when in fact it's not really a threat at all.

An unexpoitable exploit is not an exploit... it's an attempt at exploitation.

Since when have attempts at exploitation been labelled Zero-Day Flaws or Zero-Day attacks when such attacks are not even possible?

Thus in the future I recommend that CNET have the proclaiming hackers to show CNET their exploit and confirm that it is in fact an exploit prior to bringing the story to print as an exploit.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.