Critical Firefox flaw exposed

Posted by Wolfgang Gruener

Chicago (IL) - According to media reports, a pair of hackers said on Saturday that the Firefox Web browser, commonly perceived as the safer and more customizable alternative to market leader Internet Explorer, is critically flawed. A presentation on the flaw was shown during the ToorCon hacker conference in San Diego.

UPDATE 10/3/2006 7:08 PM EST: The Firefox exploit that wasn't - Hackers backpedal

The hackers claim that anyone running Firefox could be a victim of the flaw, which is related to the browser's handling of the Internet language JavaScript. Reportedly, someone could create a Web page with malicious JavaScript code that would specifically affect computers running Firefox browsers. The hackers, Mischa Spiegelmock and Andrew Wbeelsoi, claim that this could lead to remote control of any affected computer, including Windows, Apple, and Linux systems.

Spiegelmock reportedly said that the JavaScript implementation is a "complete mess" and that it is "impossible to patch." Upon watching a video of the presentation, Window Synder, Mozilla's security chief, said that this issue appears to be a "real vulnerability".

Reportedly, Snyder is also understandably upset about the public flow of this information, claiming that the details presented during the conference almost completely show how one could exploit the flaw. "I think it is unfortunate because it puts users at risk, but that seems to be their goal," she said.

Jesse Ruderman, another member on the Mozilla security staff, persuaded hackers to disclose any potential security holes via their "bug bounty" program, instead of maliciously exploiting them for hijacking vulnerable computers. Mozilla's bug-reporting system gives $500 to anyone who reports a vulnerability to the Firefox staff.

Firefox was originally introduced as an alternative to Internet Explorer, the browser that has long been known for easy exploiting and distribution of worms and viruses. Because Microsoft's browser contains such an enormous userbase, it has always remained the main target for hackers. However, Firefox's audience has been growing and it is becoming a viable target for hackers.