Reported Firefox JavaScript Flaws Just a Joke, Hackers Admit

Mozilla’s open source software developers quickly jumped on a supposedly critical series of Javascript vulnerabilities in the Firefox browser, only to find the hack, presented over the weekend at ToorCon in San Diego, was just a big joke.

“The main purpose of our talk was to be humorous,” said Mischa Spiegelmock, one of the duo who performed a presentation on Firefox security and called the open source browser “a complete mess” at the hacker conference.

Security experts were not amused, and Mozilla’s security team, which elicited the statement from Spiegelmock conceding the exploit presentation was a stunt, said it nonetheless was taking the stack overflow issues highlighted during the presentation seriously.

“Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously,” said Window Snyder, a spokesperson for the Mozilla Foundation. “We will continue to investigate.”

Dumb Disclosure

As the software security community addressed the supposed Firefox holes early this week, there was a consensus on the irresponsible disclosure of Spiegelmock and ToorCon co-speaker Andrew Wbeelsoi. The pair claimed to have discovered multiple Javascript vulnerabilities for Firefox, but declined to disclose them to Mozilla. They had indicated, however, a willingness to offer them up to other unsavory hackers known as “blackhats.”

“These guys aren’t disclosing fully to Mozilla what they’re doing, and that’s totally inappropriate,” IT-Harvest Chief Research Analyst Richard Stiennon told LinuxInsider. “I believe they are actually exposing themselves to criminal liability,” he added, indicating it doesn’t take a lawyer to know that such a stunt with Internet Explorer would quickly bring the wrath of Microsoft down on the hackers’ heads.

Stiennon added that the alleged Firefox security issues, which would have been critical to users of the open source browser if they were real, seemed mostly an effort to get attention.

“I think it’s an attempt on their part to grab some of the limelight,” he said.

Software Slander

The incident highlights the need for software security professionals to take responsibility for their actions, and have the common sense to know when to be humorous and when not to be, iDefense Rapid Response Team Director Ken Dunham told LinuxInsider.

“The reality is, they almost in a slanderous way put Firefox and Mozilla in a bad light,” he said. “When you’re saying things that are untrue, you can be held culpable.

“I think all security professionals should reflect on this and consider what it means to be responsible,” Dunham added.

Open Advantage

Although some vulnerability reports, such as a recent one from antivirus giant Symantec, indicate a higher number of holes for Firefox than other browsers, security experts agree that the open source alternative is still safer for several reasons.

Holes will always be discovered in browsers, said Stiennon. However, when the code is hidden in a proprietary product, there are fewer people to research and secure the software than there are with open source software products, which involve an extensive community of developers.

Dunham said he uses the same tools as attackers do to find out which browser is the best target for various exploits. While there are efforts to compromise Firefox, the overwhelming majority of attacks are aimed at Microsoft’s Internet Explorer, he said.

“There are far fewer users and far fewer attack sites,” Dunham said of Firefox.

Microsoft must deal with millions of lines of code, integration with Windows and other interdependencies in Explorer, while Firefox is a standalone product that can be rapidly upgraded, he noted.

“As a result, the risk is pretty low” for Firefox vulnerabilities, Dunham concluded.