Claims made by Mischa Spiegelmock and Andrew Wbeelsoi at

last weekends ToorCon have been watered down and withdrawn.  After discussion with Window Snyder (Mozillas

security chief), Spiegelmock provided Mozillas engineers with additional code

samples along with a note explaining the risks. 

This note was posted to the mozilla

developer centre; in it Spiegelmock says “The

main purpose of our talk was to be humorous”, he goes on to admit that the pair

had not in fact managed to execute arbitrary code “we mentioned that there was

a previously known Firefox vulnerability that could result in a stack overflow

ending up in remote code execution. However, the code we presented did not in

fact do this”.  Using the code shown at

ToorCon the Mozilla developers had only been able to reproduce a DOS attack

(browser crash) and Spiegelmock verified this

“I have not succeeded in making this code do anything more than cause a crash”,

he also denied having any undisclosed vulnerabilities saying “I do not have 30

undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no

undisclosed Firefox vulnerabilities”.

Snyder followed up the note with

the statement “Even though Mischa hasn’t been able to achieve code execution,

we still take this issue seriously.  We will continue to investigate”.