The open source web browser Firefox is a mess as far as it's handling of JavaScript is concerned, two hackers revealed on Saturday. Mischa Spiegelmock and Andrew Wbeelsoi said at the ToorCon hacker conference in San Diego that Firefox leaves a computer vulnerable because malicious hackers can takeover by creating a web page containing malicious JavaScript code.
Hackers said that the flaw affected FireFox running on Windows, Apple's Mac OS X and Linux. The hackers said the vulnerability was totally due to the use of the decade old scripting language. Spiegelmock said that a decent hacker could implement various programming tricks to cause stack overflow error. The hackers claimed this flaw was impossible to fix unless Mozilla rewrote key sections of the code.
Window Snyder, Mozilla's security chief acknowledged that the hackers had hit upon a vulnerable point. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating." However she added that Mozilla was not pleased with the way the hackers had gone about their job of disclosing the exploit.
"It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk but that seems to be their goal." But the presentation was a big pointer to Mozilla on what direction they needed to work, she admitted.
The hackers said they are aware of at least 30 unpatched flaws in Firefox, but had no intention of disclosing them. "It is a double-edged sword but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats," Wbeelsoi said.
