Hackers Claim JavaScript Flaw in FireFox

Jacob Cherian - All Headline News Staff Writer

San Diego, CA (AHN) - Two hackers said that the open-source Firefox Web browser is flawed in managing its JavaScript code.

Mischa Spiegelmock and Andrew Wbeelsoi said at the ToorCon hacker conference in San Diego that a hacker could command a computer running the Web browser, Firefox, by making up a Web page that carries malicious JavaScript code. According to them, this flaw is said to effect Firefox on Windows, Apple Computer's Mac OS X and Linux.

Spiegelmock, who works for a blog company called SixApart, told CNETNews.com, "Internet Explorer, everybody knows, is not very secure. But Firefox is also fairly insecure."

She adds, "[The implementation is a] complete mess...It is impossible to patch."

Mozilla's security chief, Window Snyder said, the JavaScript issue seems to be a vulnerability: "What they are describing might be a variation on an old attack...We're going to do some investigating."

She also said that she was not happy about an apparent disclosure of an expoit: "It looks like they had enough information in their slide for an attacker to reproduce it...I think it is unfortunate because it puts users at risk, but that seems to be their goal."

Spielgelmock told CNETNews.com, "If it is in the JavaScript virtual machine, it is not going to be a quick fix."

The hackers said that they are aware of nearly 30 unpatched flaws in Firefox.

Wbeelsoi said, "It is a double-edged sword, but what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats."