Firefox vulnerable to JavaScript hackers

Stan Beer
Monday, 02 October 2006 22:02

Business IT - Security

Two hackers have detailed a serious security flaw in the Firefox web browser that would enable attackers to gain control of any computer running the Internet Explorer rival regardless the underlying operating system.

• Announcements

According to Mischa Spiegelmock and Andrew Wbeelsoi, who gave a detailed presentation at the ToorCon hacker conference in San Diego on Saturday, the vulnerability is not able to be patched unless Mozilla rewrites key sections of its JavaScript code.

The two hackers gave a detailed presentation on stage showing a slide with key information on how to exploit the vulnerability. They said that a hacker could gain control of a computer which visits a web page containing malicious JavaScript code.

Mozilla is taking the presentation seriously and is reportedly annoyed at the way the hackers disclosed the exploit in enough detail for a hacker to repoduce it.

What was even more disturbing to Mozilla is that Spiegelmock and Wbeelsoi claim to have knowledge of about 30 Firefox vulnerabilities and have no intention of responsibly disclosing them to Mozilla.

It seems that the US$500 a flaw bounty that Mozilla is willing to pay hackers who find genuine vulnerabilities was not enough incentive to dissuade the two hackers from contributing to the sort of environment that forces internet users to be wary of what sites they visit.