At this year's ToorCon hacker convention, two hackers stated that Firefox is critically flawed because of the way it has implemented JavaScript.
The two hackers, Mischa Speigelmock and Andrew Wbeelsoi, detailed the flaw in a slide containing key parts of the attack code needed to exploit Firefox and the computer running the browser.
Various JavaScript tricks can be used to cause a stack overflow error on the host system, regardless of what OS the computer is running. Speigelmock later went on to say that the browser's JavaScript implementation is a
"complete mess" and
"impossible to patch".
Window Snyder, Mozilla's security chief, said that the problem appears to be a real vulnerability and
"might be a variation of an old attack".
"We're going to be doing some investigating," she continued.
Snyder also said that she wasn't entirely happy with the hacker's disclosure of the exploit, because there was enough information for an attacker to expose the flaw. She went on to say that
"I think it is unfortunate because it puts users at risk, but that seems to be their goal." However, she also stated that there was enough information there for Mozilla to work on a fix.
If it does turn out to be a problem with the way the browser deals with JavaScript, she added that there wasn't going to be a quick resolution and that it would take some time. You can read more
here.
If you're a Firefox user, it's probably wise to turn JavaScript off for now - at least until Mozilla discloses more details on how the flaw will affect its users. Share your thoughts
in the forums.
Want to comment? Please log in.