Claims made by Mischa Spiegelmock and Andrew Wbeelsoi at
last weekends ToorCon have been watered down and withdrawn. After discussion with Window Snyder (Mozillas
security chief), Spiegelmock provided Mozillas engineers with additional code
samples along with a note explaining the risks.
This note was posted to the mozilla
developer centre; in it Spiegelmock says The
main purpose of our talk was to be humorous, he goes on to admit that the pair
had not in fact managed to execute arbitrary code we mentioned that there was
a previously known Firefox vulnerability that could result in a stack overflow
ending up in remote code execution. However, the code we presented did not in
fact do this. Using the code shown at
ToorCon the Mozilla developers had only been able to reproduce a DOS attack
(browser crash) and Spiegelmock verified this
I have not succeeded in making this code do anything more than cause a crash,
he also denied having any undisclosed vulnerabilities saying I do not have 30
undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no
undisclosed Firefox vulnerabilities.
Snyder followed up the note with
the statement Even though Mischa hasnt been able to achieve code execution,
we still take this issue seriously. We will continue to investigate.