• Medlem
  • Karlstad
  • 2006-10-02 17:31


ToorCon hacker conference in San Diego said that they've found a critical
flaw in Firefox that looks, to them at least, impossible to patch.

The hackers, who have been named as Mischa Spiegelmock and Andrew Wbeelsoi,
said that someone could execute an attack simply by creating a webpage with
malicious JavaScript code. In most attacks, hackers have to get a computer
user to download something to the computer, but in this case, they won't
know what hit them.

Windows users are used to facing security threats, but smug Apple and Linux
users aren't immune to this bug, as it affects all versions of Firefox.
(min kursivering)

Spiegelmock said that malicious code could create a stack overflow error,
and called the implementation "a complete mess".

Mozilla's security chief Window Snyder took the presentation completely
seriously after watch a video of it; she said Mozilla would "do some
investigating", but isn't happy of the release of the exploit to the wide
world of hackers.

The reason that the flaw is so difficult to patch? It's in the part of the
browser that deals with JavaScript.

After hearing that the two hackers know of another 30 unpatched flaws in
Firefox, Jesse Ruderman, a Mozilla security staffer, encouraged them to
disclose the bugs to Mozilla, who gives away $500 per vulnerability.

Wbeelsoi simply said, "It's a double-edged sword, but what we're doing is
really for the greater good of the Internet. We're setting up a
communication networks for black hats".

Black hats are malicious hackers, and most want to exploit flaws for private
gain. However, many promote accessibility over privacy and security, so why
they want to target open-source software of the type Mozilla develops is
anyone's guess.