zero-day flaw in Firefox revealed? (updated)

SillyDog701 security expert member Juha-Matti Laurio informed us hackers claimed zero-day flaw in Firefox at the ToorCon hacker conference. According to reports, an attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code.

The flaw is specific to Firefox's implementation of JavaScript. Mozilla Corporation confirmed the code can cause denial of service attack. Mischa Spiegelmock provided more code and clarified that it was the another person who claimed that Firefox has 30 undisclosed vulnerabilities. [updated]

For more informationa and latest update, please join our discussion at SillyDog701 Message Centre.

Mozilla Developer Center issued following statement:

Possible Vulnerability Reported at Toorcon
When someone says they’ve identified a vulnerability, we treat it as real until we can verify otherwise. We immediately begin investigating and trying to fix it. This is how we’re able to ship fixes so quickly.

At Toorcon this weekend, two speakers claimed they found vulnerabilities in the Javascript VM. Of course we take that very seriously.

So far we’ve been able to reproduce a denial of service issue based on the information they gave during their talk. In some cases this causes a crash based on an out of memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. We’re still investigating and we’ll keep you updated.

-Window Snyder

Later, Mozilla Developer News issued an update:

Update: Possible Vulnerability Reported at Toorcon

We got a chance to talk to Mischa Spiegelmock, the Toorcon speaker that reported the potential javascript security issue referenced earlier. He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn’t been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder

For more informationa and latest update, please join our discussion at SillyDog701 Message Centre.