Firefox JavaScript security "a complete mess"?

Firefox is loaded with security flaws, according to a hacker duo that presented at this year's ToorCon. Mischa Spiegelmock and Andrew Wbeelsoi used a session at the show to highlight what they have called "a complete mess" that is "impossible to patch" in Firefox's JavaScript implementation. According to the pair, the implementation is home to at least 30 possible exploits, all of which they plan to keep to themselves. CNet's Joris Evers brought the story to light this past weekend, but reports are surfacing everywhere.

The presentation, dubbed "Lovin the LOLs, LOL is my will," actually only focused on one flaw, which the presenters said affects Firefox on Windows, Linux, and Mac OS X. The exploit reportedly causes a stack overflow by merely including a small snippet of JavaScript code on a webpage. Spiegelmock and Wbeelsoi have declined to fully detail the exploit, however, leaving Mozilla a bit in the dark. In fact, after a Mozilla employee exhorted them to report the flaw and collect a $500 reward, Wbeelsoi said "what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats." Firefox JavaScript security "a complete mess"? (updated)
- tag: -

Linked by shanmuga Tuesday, 3rd October 2006 1:15AM