In August it was Apple, now it’s Mozilla/Firefox.
The media reports (here and here) that two Toorcon researchers claim that Firefox is “critically flawed” and “impossible to patch.” The media also reports that “an attacker could commandeer a computer”, meaning that they can run arbitrary code on the machine.
Then Mozilla publishes a letter from one of the two Toorcon researchers claiming the contrary. The exploit can only crash the browser or use system resources.
This is a real issue: claims without proof (exploits); reports without verification.
It seems to me this is a byproduct of security by FUD. The researchers want the fame. The media loves a good story. Unfortunately people are willing to compromise the truth for either.
A scenario such as this will ultimately ruin the credibility of both parties and hurt our industry. How much longer will this occur before people turn a deaf ear? Will they then listen if an important issue truly arises?
I’m for both responsible and full disclosure; in high profile cases, researchers should follow better disclosure practices…
Popularity: 4%
2 Comments
I hate to break it to you, but there’s more than just two parties involved. The real story is that Mischa found the javascript vulnerability. He played with it a bit, but could never exploit it properly. There are many, many others that worked on it and found a proper way to exploit it. Multiplatform.
Everyone is getting misinformation from media source to media source and it’s turning into a huge game of “Telephone.” If you read the conference transcript or see the actual video of their speech, you’ll get the real dirt. There are over 30 vulnerabilities we found in Firefox, not just the javascript. On top of that, we’ve found many more in another popular browser that’s gaining more market share and is multi-architecture.
This isn’t FUD. Quit labelling it as such. You’ll see in the very, very near future.
Hearties.
At this point in time, it’s FUD.
Why?
1) Mischa Spiegelmock admitted the talk was a joke.
2) Mischa Spiegelmock admitted that he did not possess 30 Firefox vulnerabilities.
3) If there are vulnerabilities, they have not yet been publicly disclosed or disclosed responsibly to Mozilla.
Let’s assume that someone did find 30 vulnerabilities in Firefox and was able to get the JavaScript exploit to work as you claim. How are your claims really any more substantial than HD Moore’s month of browser bugs? Probably not much (and not as novel either).
One Trackback
Firefox prank ‘sploit disclosure
Yes, it’s IT Blogwatch, in which a couple of self-styled hackers manage to throw the Firefox security team into a flat spin and make monkeys out of the press. Not to mention pancakes!..