Hackers warn of critical flaw in Firefox

Look out, the black hats are coming

2 October 2006 12:12 GMT / By Amber Maitland

Two hackers at the ToorCon hacker conference in San Diego said that they’ve found a critical flaw in Firefox that looks, to them at least, impossible to patch.

The hackers, who have been named as Mischa Spiegelmock and Andrew Wbeelsoi, said that someone could execute an attack simply by creating a webpage with malicious JavaScript code. In most attacks, hackers have to get a computer user to download something to the computer, but in this case, they won’t know what hit them.

Windows users are used to facing security threats, but smug Apple and Linux users aren’t immune to this bug, as it affects all versions of Firefox.

Spiegelmock said that malicious code could create a stack overflow error, and called the implementation “a complete mess”.

Mozilla’s security chief Window Snyder took the presentation completely seriously after watch a video of it; she said Mozilla would “do some investigating”, but isn’t happy of the release of the exploit to the wide world of hackers.

The reason that the flaw is so difficult to patch? It’s in the part of the browser that deals with JavaScript.

After hearing that the two hackers know of another 30 unpatched flaws in Firefox, Jesse Ruderman, a Mozilla security staffer, encouraged them to disclose the bugs to Mozilla, who gives away $500 per vulnerability.

Wbeelsoi simply said, “It’s a double-edged sword, but what we’re doing is really for the greater good of the Internet. We’re setting up a communication networks for black hats”.

Black hats are malicious hackers, and most want to exploit flaws for private gain. However, many promote accessibility over privacy and security, so why they want to target open-source software of the type Mozilla develops is anyone’s guess.

Via Silicon.com