Alleged flaw in Firefox' JavaScript
In the course of a lecture held at hacker conference Toorcon, Mischa Spiegelmock and Andrew Wbeelsoi demonstrated a supposedly critical flaw in the way the Firefox implements JavaScript. This weak point can, they claimed, be used to inject and execute code into the system of a user visiting a particular web site. As well as Windows versions of the Open Source browser, the versions for Linux and Mac OS X are also reportedly vulnerable.
The two speakers seem to be having a great time playing bad guys. For instance, they refused to provide the Mozilla team with the information it needs to localize the flaw. In addition, US media are reporting that the two claimed that they have even found an additional 30 bugs in Firefox that they are keeping confidential. Wbeelsoi has been quoted as saying, "what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats." -- this is apparently his way of talking about bot nets.
In the meantime, the Mozilla team is looking into the matter itself and has acquired the slide show of the presentation, via a blog. But without an exact description, or at least a demonstration, of how the flaw works, they have not been able to determine if there is a security problem.
Those wishing to protect themselves from the security risks that the use of JavaScript poses can install the Noscript extension in Mozilla and Firefox to prevent JavaScript from being executed outside of trustworthy sites.
- Entry in the bug database at Mozilla
(trk)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
