Update Flaws in the way Firefox handles JavaScript code only crash the browser (at worst), contrary to earlier reports that researchers had identified a zero-day exploit that might lend itself to malware-based attacks.

Researchers Mischa Spiegelmock and Andrew Wbeelsoi discussed the unpatched cross-platform vulnerability during a presentation at ToorCon hacker conference in San Diego last weekend. The stack overflow flaw said to be at the heart of the problem is down to Firefox's implementation of JavaScript which Spiegelmock described as a "complete mess". The hackers reportedly claimed the vulnerability was one of 30 security bugs in Firefox they knew.

Window Snyder, Mozilla's security chief, who witnessed the presentation on Saturday, initially suggested that that security bug illustrated by Spiegelmock and Wbeelsoi might be a variant of a well-understand attack. Snyder told News.com that she was uncomfortable that the researchers detailed possible exploits during their presentation, a common criticism by software vendors against security researchers against researchers who practice full disclosure.

After reviewing the flaw, Mozilla published a posting on its developer blog downplaying the seriousness of the bug, initially reported by El Reg and other news outlets as creating a means for hackers to execute hostile code on Windows, Mac OS X and Linux PCs. The posting contains an agreed statement by Spiegelmock in which the security researcher backtracks on claims made during the talk that Firefox was riddled with security bugs.

"As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code," the statement reads.

"I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not."

Mozilla's Window Snyder adds in the posting that despite the reduced seriousness of the risk it was continued to investigate the issue. ®

Related stories

• JavaScript in web browsers is new security weak spot (17 May 2007)
• Firefox hands out cookies from strangers (15 February 2007)
• Firefox update guards against critical flaws (21 December 2006)
• IE and Firefox blighted by fake login flaw (23 November 2006)
• Firefox update aims to lance security bugs (9 November 2006)
• Mozilla flaws more joke than jeopardy (5 October 2006)
• MS releases emergency IE fix (27 September 2006)
• Unofficial IE patch saves humanity (25 September 2006)
• Smut sites use IE exploit to spread spyware (21 September 2006)
• Free anonymous browsing (20 September 2006)
• Mozilla security takes axe to redundant code (15 September 2006)
• Just how buggy is Firefox? (8 September 2006)
• Firefox users need to update (again) (27 July 2006)