SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

"Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure," said Spiegelmock, who in everyday life works at blog company SixApart. He detailed the flaw, showing a slide that displayed key parts of the attack code needed to exploit it.

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

blowdart wrote:

"Internet Explorer, everybody knows, is not very secure."

Xaero_Vincent wrote:

"It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats."

W3bbo wrote:

A slight contradiction, surely?

Xaero_Vincent wrote:

OMG... those hackers are complete idiots!

<snip>

My response:

30 * 500 = $15,000

Those two hackers could have scored $15,000 to share amongst themselves by simply disclosing information about their findings.


Regards,
Vincent

Jason Cox wrote:

I wonder how long until there is a flaw in the wild.

blowdart wrote:

http://news.zdnet.com/2100-1009_22-6121608.html

The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch."

These sort of statements always intrigue me.

WillemM wrote:


Isn't this a good reason to throw out the old implementation of javascript and start with a new one, that doesn't have these flaws?

jaylittle wrote:



Another_Darren wrote: Reminds me of a story about two Security guys who found a flaw in wifi cards that can hack any OS, they even demo'd it a mac laptop.

Yeah and they were pretty much totally full of it.  The demo was done using a third party USB wireless device with a third party driver.  Hence by default Apple had nothing to do with it since the security hole was on the driver level.

petknep_home wrote:

Side note: IMO, they should be responsible and disclose them.

Cybermagellan wrote:



petknep_home wrote: Side note: IMO, they should be responsible and disclose them.

Especially when a company that you work for is disclosed in the article

"who in everyday life works at blog company SixApart"

petknep_home wrote:


The problem with your response that $15,000 for 30 exploits is basically nothing between two people. A given browser exploit for IE supposedly has a street value of $10,000. Assuming FireFox exploits are about the same in price, they make 20x by holding them back from MoFo.

Rossj wrote:

Apparently this is a hoax. I hate to think how much dev time this might have wasted, and can imagine how upset a corporate might be if someone pulled this one and they wasted hours or days looking for a bug that was already known about.

Rotem Kirshenbaum wrote:



Rossj wrote:Apparently this is a hoax. I hate to think how much dev time this might have wasted, and can imagine how upset a corporate might be if someone pulled this one and they wasted hours or days looking for a bug that was already known about.

Hoax or not, it doesn't mean that the implementation of JavaScript in FF is not almost impossible to patch.

Rotem

Rotem Kirshenbaum wrote:



Rossj wrote:Apparently this is a hoax. I hate to think how much dev time this might have wasted, and can imagine how upset a corporate might be if someone pulled this one and they wasted hours or days looking for a bug that was already known about.

Hoax or not, it doesn't mean that the implementation of JavaScript in FF is not almost impossible to patch.

Rotem

Another_Darren wrote:



Rotem Kirshenbaum wrote:  Rossj wrote: Apparently this is a hoax. I hate to think how much dev time this might have wasted, and can imagine how upset a corporate might be if someone pulled this one and they wasted hours or days looking for a bug that was already known about. Hoax or not, it doesn't mean that the implementation of JavaScript in FF is not almost impossible to patch. Rotem

Wow, you laid it out with all the facts...  "doesn't mean", "not almost"

Alleged hacker wrote:

The main purpose of our talk was to be humorous.
...
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

Rossj wrote:

Here we go.

Alleged hacker wrote: The main purpose of our talk was to be humorous. ... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

MB wrote:

Ya, I am being larfing so much I am being making wetting of the pants.