Firefox JavaScript Flaw: Real or Hoax?

Two hackers -- Mischa Spiegelmock and Andrew Wbeelsoi -- have announced a flaw in Firefox's JavaScript:

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.

More interesting was this piece:

The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

"I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets," Ruderman said.

The two hackers laughed off the comment. "It is a double-edged sword, but what we're doing is really for the greater good of the Internet. We're setting up communication networks for black hats," Wbeelsoi said.

Sounds pretty bad? But maybe it's all a hoax:

Spiegelmock, a developer at Six Apart, a blog software company in San Francisco, now says the ToorCon talk was meant "to be humorous" and insists the code presented at the conference cannot result in code execution.

Spiegelmock's strange about-face comes as Mozilla's security response team is racing to piece together information from the ToorCon talk to figure out how to fix the issue.

[...]

On the claim that there are 30 undisclosed Firefox vulnerabilities, Spiegelmock pinned that entirely on co-presenter Wbeelsoi. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not. I apologize to everyone involved, and I hope I have made everything as clear as possible," Spiegelmock added.

I vote: hoax, with maybe some seeds of real.

Posted on October 4, 2006 at 7:04 AM • 38 Comments

Comments

TimOctober 4, 2006 8:13 AM

@Mr. Spock

"You can't vote on a security issue. It has to be checked."

You mean like Politicians who vote on wether or not to accept Diebold vulnerabilities!

vlnaOctober 4, 2006 8:19 AM

I think this is quite bad humour, mainly for common end users of Firefox and of course for other products making use of JavaScript technology. My opinion is, that the goal is probably to harm and insecure this community, if it is realy only "hoax".

Bruce SchneierOctober 4, 2006 8:22 AM

"You can't vote on a security issue. It has to be checked."

You certainly can vote on a security issue. You have to check to determine if your prediction is correct, though.

Fred F.October 4, 2006 8:24 AM

And we will be seeing no end of people that conveniently chooses to forget the hoax part, and will keep harping on how everything is bad and since everything is bad there is nothing they can do about it.

TOMBOTOctober 4, 2006 8:29 AM

A really bad movie, but nonetheless. "I have a secret virus that is 97% fatal - to 15% of the population!"

SeanOctober 4, 2006 8:45 AM

Really annoying humor intended to give network administrators heartburn. Errrhh!

Jim LOctober 4, 2006 9:07 AM

Even if true it's still probably still much safer than any version of IE. It will be found and fixed faster, too.

Dirk D. Phoenix, IIIOctober 4, 2006 9:09 AM

No doubt Spiegelmock probably realized that he was Pretty Darn Close to getting the wack from Six Apart, so he did a quick backpedal.

If it is indeed a hoax, then Mischa and Andrew will turn out to be nothing more than a pair of immature morons, crying out for attention.

If it is _not_ a hoax, then they are nothing more than a pair of immature morons ("what we're doing is really for the greater good of the Internet,") crying out for attention.

Basil BerntsenOctober 4, 2006 9:21 AM

The key here is that while any one security issue for Firefox is bad for its users, security issues are still less of an issue than with mainstream browsers. I attribute this to their policies on bug disclosure.

Assuming there is a security issue with the most current edition (which I doubt), chances are that Wbeelsoi is not the only person crafty enough to find it, and the more people that know about a thing, the more likely it is to get sold to Firefox for patching.

That said, everybody seems to be saying it was a hoax, however I haven't heard Wbeelsoi come out and admit it. If it was a joke, he should do that. I'm starting to get worried...

fishbaneOctober 4, 2006 9:25 AM

I've seen immature wannabes do this sort of thing before. 15 minutes of fame seems worth it, at the time, until they find that people still look at them funny 10 years later.

Which is as it should be. It isn't a punishment question; I have no interest in that. Deterrence should be the goal.

J.October 4, 2006 9:29 AM

The mentioned flaw can result in a DoS. Far less bad than remote code execution, but real nonetheless.

Btw, Microsoft is among the sponsors of ToorCon.

J.October 4, 2006 9:44 AM

(Forgive me for posting twice in short timespan.)

Also, the extension NoScript would stop this threat except when a trusted site would do this to you. It allows one to deny any JS/Java/Flash from all hosts, except the hosts you add to your whitelist (temporarily or permanent). Very useful. http://www.noscript.net

Wbeelsoi also claimed the JS code in Mozilla FX is 'a mess' which Snyder has not commented on. Any comment/view on this?

Here's Mozilla Foundation's reply btw:
http://developer.mozilla.org/devnews/index.php/2006/10/02/update-possible-vulnerability-reported-at-toorcon/
http://developer.mozilla.org/devnews/index.php/2006/10/02/possible-vulnerability-reported-at-toorcon/

acOctober 4, 2006 10:52 AM

Almost every crash can be converted to remote code execution. I'm quite certain that there are much more than 30 potential exploits in Firefox and that most of the mozilla/firefox code has a lot of potential for crashes. IE 7 (with disabled activex, to make things comparable) has certainly safer code than moz and ff. Microsoft of today has much bigger resources for stress testing and invests much, much more to make secure code. Remaining problems with IE are all ActiveX possibilities and all sorts of third party plugins. But Moz/ff has its own problems plus all sorts of third party plugins.
The attitude of moz/ff developers "if you give us the exploit example we'll fix it" is wrong. It has to be changed. But i'm sure they really have a barrel full of holes, and that the water didn't get much in only because it was not really much immersed, only an inch or two.

Relatively recently some guy made some scripts to produce random invalid html pages. He tested different browsers and the only one which he was not able to crash was Microsoft's. The only possible conclusion was -- they obviously already did they homework and tested thir browser with equivalent invalid inputs. Others, including moz/ff, obviously didn't.

In my opinion, for the start, Firefox should make separate program for security updatets. Then the main firefox.exe can be configured on all XP and later operating systems, to run under "basic user" privileges (meaning, no possibility to modify the system in any way). Such execution mode will be implemented by IE 7 on Vista by default, and will additionaly make IE much less vulnerable than FF. It moz/ff brains knew what's good, Firefox could gain some advantage by having that on the existing systems.

I haven't heard that such feature is planned by moz/ff developers/planners. Instead they spend time building the sql server in the browser only to "universally" store bookmarks (really!) and similar stupidities.

Obligatory reading: "In Search of Stupidity" by Merrill R. (Rick) Chapman (http://www.insearchofstupidity.com/)

arctanckOctober 4, 2006 10:54 AM

I only know a little bit of software and security stuff, so how vulnerable is the Firefox browser? Presumably remote code execution is still very difficult on Firefox browser?

Ajax doomOctober 4, 2006 11:06 AM

How will Ajax ever succeed if the "solution" to so many attacks is to turn off Javascript in the browsers?

I see this "solution" proposed all the time, though I don't know how often people actually heed such advice.

DavidOctober 4, 2006 11:11 AM

U.S. Cert still has this listed up on their web site (http://www.us-cert.gov/current/index.html#ff0day).

Hopefully we'll get a correction, or at least a link to the Mozilla statements.

SJSOctober 4, 2006 11:17 AM

I still don't see why anyone *enables* Javascript[1]. Sure, there are a lot of sites that use Javascript in hrefs and suchlike, but that's just a good sign that the website in question is user-hostile and shouldn't be patronized anyway.

The NoScript extension (why is this an extension anyway? Should this be a required feature in any browser that downloads and runs code?) is nice, except that I don't get to review the Javascript I'm whitelisting -- it's "I trust this site/page or not", and if the Javascript on the page changes, it's still approved.

Didn't Microsoft once get a C2 rating for MSWindows NT? We don't look at that and say "oh, they've got their act together, we'll trust their security practices for all subsequent releases!"

At least, I hope we don't.

[1] Isn't this ECMAScript now? It's "standardized", so it must be a good idea.

AnonymousOctober 4, 2006 11:39 AM

There's a few inaccuracies in ac's post above.

- The firefox developers have not refused to fix the crash, they are looking into it.

- Michal Zalewski's HTML fuzzer eventually did crash IE. (http://www.securityfocus.com/archive/1/379207/30/0/threaded)

- MZ's conclusion that only as of late 2004 only IE had experienced extensive fuzzing was probably correct. Since MZ released his tool, however, firefox and many other browsers have been using the fuzzer as a QA tool.

I do agree with ac's recommendation that Firefox should find a way to run with restricted privileges.

As Firefox becomes more widespread, it is only becoming a bigger, fatter target. There are going to be more attackers finding problems. Hardening the browser will pay off.

HTOctober 4, 2006 11:39 AM

ac: It appears you haven't looked at what is being done in the Mozilla community about security.

There is a sizeable group of people who do nothing but attempt to break the browser by any means they can think of.

There are people who develop fuzz testing tools to try and find issues.

Coverity, and recently Klocworks have started analyzing the Mozilla code and providing results to Mozilla engineers.

Not to mention that most code changes go through one or two levels of code review, and there is constant discussion (and code refinements) about how to improve the architecture to prevent security issues in the first place.

What does Microsoft do more or better?

The security updater idea sounds good; have to check if there is a bug on that.

BrianOctober 4, 2006 11:40 AM

D'oh. "There *are* a few inaccuracies..." I hate it when I makes grammatical mystakes.

Israel TorresOctober 4, 2006 11:43 AM

Here is a credo to live by in the "underground" realm that perhaps was skipped in the manual:
"Loose lips sinks ships"

It made sense then, and it makes sense now.

Israel Torres

Dan GuidoOctober 4, 2006 12:01 PM

All software has bugs, that fact won't change no matter how many times people audit their code. Big software, like Firefox, has LOTS of bugs, including bugs that no one has found yet.

Why are people so surprised and appalled every time a "0-day" comes out? The researcher didn't MAKE the bug, he just found one of likely many more.

Want to see a list of bugs with code changes in latest trunk of Firefox? Run this: http://metasploit.com/users/hdm/tools/mozdig.rb

Pat CahalanOctober 4, 2006 12:15 PM

The "web browser", as a piece of software, is suffering under the most outrageous demands of creeping featurism in the history of computer software... and that's saying quite a bit.

Rather than trying to cram every piece of functionality under the sun into something that has its roots in displaying a static page of marginally marked up text information, maybe it would be a good idea to apply the design principles of high cohesion and low coupling...

ProbitasOctober 4, 2006 1:00 PM

They may call it a "hoax", but how is this any different than crying fire in a movie theater? Crank it up a few notches and you could have an event with true economic impact; if "War of the Worlds" were replayed today, it would likely be called an act of terrorism. These bozos, if it is indeed a hoax, may be treading on dangerous turf. Try this with a popular Microsoft product and with a wider audience, and I bet the lawyers would have a field day with them.

J.October 4, 2006 1:32 PM

"How will Ajax ever succeed if the "solution" to so many attacks is to turn off Javascript in the browsers?"

1) First of all, NoScript is in my eyes not a solution, but a prevention and prefered way to use WWW. There are many examples of JS (+ Java, Flash) unrelated to security which I do not want to execute by default. I assume you've experienced a Flash skyscraper with sounds and other bells 'n whistles in your life? Thats just one example. The fact NoScript stops flaws such as the one outlined here (even if merely a DoS attack) is a nice benefit and hence it is useful to state NoScript should a situation arise where NoScript could be stated as preventing a flaw such as this one. Well, here you are. Resumee, NoScript does not have the purpose to disable JS; see 3.
2) Who says Ajax has to succeed, or that my agenda is to promote Ajax? I care rat about Ajax TBH.
3) Nevertheless, if you want/need JS (and apparently, if you need JS for Ajax) and use NoScript, you can temporarily or permanently put JS on for a specific host. It merely means Ajax would not work directly until the user has authorized the browser that JS for the host serving Ajax it allowed JS code. The purpose of NoScript is not to disable JS (and Java, Flash) for if that would be its purpose it wouldn't have the option to temporarily/permanently whitelist hosts to allow JS (and Java, Flash).
4) Futhermore, only a small percentage of people who use Mozilla Firefox use NoScript. Mozilla Firefox itself also has a marginal market penetration. IOW it is more likely these users would have to adapt to Ajax instead of the other way around. I foresee no problem though; see 3.

"I smell FUD... Where is Microsoft in all of this?"

Microsoft is one of the (many) sponsors of the conference where this talk was held. Its not clear what exactly Microsoft has sponsored nor are other details of the agreement clear. We also know Microsoft is not sick of sponsoring 3rd parties to support their agenda (SCO, Halloween documents) so Microsoft has their recent history against them.

BrianOctober 4, 2006 1:35 PM

@Pat

Amen. The consensus is that every new application launched should be a web application, but that isn't necessarily a great idea. Do you really want your super-secure application to be accepting input from every dodgy web site on the planet?

No?

Then don't make it a web application.

Nick LancasterOctober 4, 2006 5:30 PM


Hoax or not, this is definitely an ID-10T application.

Better hope the feds think they're joking. Or didn't anyone notice the references to 'keeping terrorists and leftist extremists' from using the internet to communicate and disseminate their plans?

All Bush has to do is sign his magic bill, and you can be disappeared.

(It follows that when we don't catch terrorists, we'll allow mission creep.)

rootOctober 4, 2006 7:43 PM

"You can't vote on a security issue. It has to be checked."

All possible security flaws cannot be checked without solving the halting problem, which no one has (publicly) done. So this statement is, of course, malinformed. That said, I have to tip my hat to the gentlemen for working against public disclosure, publicity stunt or no.

NKTOctober 4, 2006 7:57 PM

http://www.noscript.net/whats

You'll find NoScript there. I use it, and a DNS hack, to suppress 99% of annoying website experiances. I use AdBlock to wildcard block anything else that gets through.

I don't get sirens in flash web banners or flash pop-overs on most sites that have them, and on the few that do have them, they only affect me once. No cleverly crafted page gets to run anything unless I decide to allow it, and I get to see lots of amusing security and web design holes because of it, like shopping carts that hide the SQL strings via javascript (No, really!)

acOctober 5, 2006 7:25 AM

on the subject of problems with third party plugins: without some extensions (of which quality?), it's not possible to configure the Firefox not to play media files (like videos) from each page that has them embedded.
That's also the security hole -- it's true that browser exposes the bugs of others, but it still exposes them, and what's worse the behavior can't be easily changed.

BrianSOctober 5, 2006 11:30 AM

Among the many anagrams for Andrew's name is:

SEE A WEB LORD WIN

(there are plenty of other options in the anagrams to throw suspicion on the name)

I'd wager badly executed hoax, however I'd also bet on unpatched, undiscovered bugs in FF (and all other browsers for that matter).

Fenris FoxOctober 10, 2006 1:00 PM

When I read the comments by the "hackers," I think my eyes bugged out of my head. I was like, "WTF can 'communications networks' for black-hats do for the good of the Internet?!"

Now don't get me wrong - anonymizing networks (e.g., Tor) have their legitimate reasons-to-be. But the comments just reek of BS.

(And if you think it's bad smelling that as a human, try being a fox. =;o) )

PS: Use NoScript. It'll at least let you keep JavaScript and plugins off until you want them.. I've used it ever since I heard about the JavaScript behind-the-wall port scanner.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..