Mozilla researchers vexed by hackers' fake exploit
Claims of browser flaws weren't meant to be taken seriously, presenter says
Mozilla security researchers spent most of Sunday and yesterday scrambling to determine if exploit code revealed during a presentation by hackers Mischa Spiegelmock and Andrew Wbeelsoi at Toorcon over the weekend could allow someone to execute malicious code through a memory corruption attack on Firefox.
However, Window Snyder, who leads Mozilla's security team, said Spiegelmock admitted to the company that the presentation was meant to be humorous, and he and Wbeelsoi had not actually achieved remote execution with the exploit code demonstrated at the show.
"At best, in some cases it will crash only the client," Snyder said. "That's all we've been able to verify at this point."
Spiegelmock, who works for Six Apart Ltd., confirmed as much in his LiveJournal blog, in which he includes a link to a statement he made that is posted on Snyder's Mozilla blog.
"The main purpose of our talk was to be humorous," the statement says. "As part of our talk, we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has."
During the presentation, the hackers also said they knew of 30 other vulnerabilities in Firefox but this, too, was a joke, Snyder said.
To hear Six Apart spokeswoman Jane Anderson tell it, the Toorcon presentation was a joke invented by two kids barely out of their teens who didn't understand the ramifications of their actions.
"It was all a parody," she said. Anderson added that Spiegelmock was not representing Six Apart at the show, and the company spent most of Sunday on the phone with Mozilla putting out fires and cooperating with the company to get to the bottom of the matter.
To make matters more embarrassing for Six Apart, the company's earliest investor, Joi Ito, is on Mozilla's board of directors.
Anderson added that Spiegelmock will not be terminated for his actions. "We all make mistakes," she said.
Snyder and the Mozilla team also are being good sports about the ordeal.
"Of course, we always prefer that security researchers report vulnerabilities to us so we can create a patch before customers are put at risk," she said. "But at this point he's been very cooperative and we're pleased he's chosen to work with us."
Still, Snyder said, "I know people who were working really hard here on Sunday probably have other things they'd rather be doing."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts