RSS Archive Contact Us Advertise

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Firefox Accused Of JavaScript Mess
Search:
[ insider_reports_insider ]

Firefox Accused Of JavaScript Mess



David Utter
Staff Writer
2006-10-02

SecurityProNews: Insider Reports Insider Reports RSS Feed


A "complete mess" in the implementation of JavaScript in the Firefox browser leaves its users vulnerable to an assortment of stack overflow attacks, according to accusations made at the ToorCon hacker and security conference in San Diego.

Firefox Accused Of JavaScript Mess
Firefox Accused Of JavaScript Mess

Presenters Mischa Spiegelmock and Andrew Wbeelsoi claim to have an arsenal of around 30 Firefox problems that they plan to keep under wraps.

But as CNET reported from their presentation, a vulnerability they did discuss during their presentation may become a zero-day exploit for Firefox users, according to Mozilla chief security officer Window Snyder:

Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal."

At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said.
The two hackers also dismissed a request from another Mozilla security staffer, Jesse Ruderman, to hand over the flaws in exchange for Mozilla's Bug Bounty rewards for such discoveries:

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.
Although Mozilla has had more vulnerabilities to patch in Firefox in 2006 than Microsoft has had with Internet Explorer, Firefox generally gets the nod as being more secure due to the speed in which the browser receives security updates.

Should the problem be as Snyder feared, Firefox could be in for a massive rewrite.

---
Tag:

Add to Del.icio.us | Digg | Yahoo! My Web | Furl

Bookmark SecurityProNews -




About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2008 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds