Sign In
Register
Help
Mozilla's security team is busy looking into a new Firefox flaws for which hackers revealed exploit code over the weekend. more
Page 1 of 1
Mozilla investigating new Firefox flaw
MultiQuote
#2
SeaFox 
- Member
-
- Group: Members
- Posts: 957
- Joined: 28-April 01
Posted 02 October 2006 - 09:03 PM
Quote:
On Monday, Mozilla said it was busy investigating the flaw, and did not offer any security researchers for comment because, according to spokeswoman Mary Colvig, they were all "heads down" on the problem.
On Monday, Mozilla said it was busy investigating the flaw, and did not offer any security researchers for comment because, according to spokeswoman Mary Colvig, they were all "heads down" on the problem.
"Heads down" meaning they don't know what it is, not that they are keeping everything hush-hush. While the exploit was shown at the conference, the actual code of the exploit was not made public. The "researchers" who found the security flaw are not providing the information to Mozilla because they want to exploit it.
#3
jmincey
- Veteran
-
- Group: Members
- Posts: 4,228
- Joined: 27-August 04
Posted 02 October 2006 - 09:44 PM
"Heads down" meaning they don't know what it is, not that they are keeping everything hush-hush.
Given the context in which this expression was used, I interpret "heads down" as meaning neither of those things but instead as meaning focused on the problem and working hard on it. In other words, the Firefox people were unable to comment because they were "heads down" -- so busy investigating the issue.
Given the context in which this expression was used, I interpret "heads down" as meaning neither of those things but instead as meaning focused on the problem and working hard on it. In other words, the Firefox people were unable to comment because they were "heads down" -- so busy investigating the issue.
#5
SeaFox
- Member
-
- Group: Members
- Posts: 957
- Joined: 28-April 01
Posted 02 October 2006 - 10:59 PM
Quote:
I interpret "heads down" as meaning neither of those things but instead as meaning focused on the problem and working hard on it. In other words, the Firefox people were unable to comment because they were "heads down" -- so busy investigating the issue.
I interpret "heads down" as meaning neither of those things but instead as meaning focused on the problem and working hard on it. In other words, the Firefox people were unable to comment because they were "heads down" -- so busy investigating the issue.
Oh, gosh. That does make more sense. In any case, it's something I hope they can fix before 2.0 is released, but with little to no info right now I don't think that will happen. Right now they're looking at a handful of javascript bugs that have been open for a few years thinking that one of them is part of the exploit.
#6
griffman
- Advanced Member
-
- Group: Moderators
- Posts: 8,605
- Joined: 09-January 01
Posted 03 October 2006 - 05:50 AM
It seems it's not really an exploit at all -- from the this entry on the dev news pages at Mozilla:
"The main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly havent used it to take over anyone elses computer and execute arbitrary code."
So while it's still a bug -- it can easily cause a crash in Camino, Firefox, and Safari -- it doesn't seem to be a huge security hole. However, the Mozilla team is obviously still working on fixing the problem, as crashing bugs are never good things to have...
-rob.
"The main purpose of our talk was to be humorous.
As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly havent used it to take over anyone elses computer and execute arbitrary code."
So while it's still a bug -- it can easily cause a crash in Camino, Firefox, and Safari -- it doesn't seem to be a huge security hole. However, the Mozilla team is obviously still working on fixing the problem, as crashing bugs are never good things to have...
-rob.
#7
SeaFox
- Member
-
- Group: Members
- Posts: 957
- Joined: 28-April 01
Posted 03 October 2006 - 04:44 PM
Yeah just read it on Slashdot.
I like that quote at the end:
That passing-the-blame, I didn't say it! He did! Really reeks of the stuff with Maynor and Ellch and the Wi-Fi exploit. Speaking of which, they never got to make their appearance and prove they ever had any Airport exploit to start with.
I like that quote at the end:
Quote:
Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.
Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.
That passing-the-blame, I didn't say it! He did! Really reeks of the stuff with Maynor and Ellch and the Wi-Fi exploit. Speaking of which, they never got to make their appearance and prove they ever had any Airport exploit to start with.
Page 1 of 1
