Firefox 'zero-day flaw' fizzles out

A hacker who claimed to have found a serious zero-day bug in Firefox now says he was never able to exploit the supposed vulnerability to hijack computers.

On Saturday, Mischa Spiegelmock and Andrew Wbeelsoi told attendees at the ToorCon event in San Diego that Firefox is critically flawed in the way it handles JavaScript. An attacker could commandeer a computer running the open source web browser simply by crafting a web page that contains some malicious JavaScript code, they said. They displayed some of that code.

But Spiegelmock has now backpedalled on those claims. In a statement provided to Mozilla, which co-ordinates development of Firefox, Spiegelmock said the computer code displayed during the presentation does not fully compromise a PC running the browser.

He wrote in the statement, which was posted on Mozilla's website on Monday: "I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code.

"The main purpose of our talk was to be humorous. I apologise to everyone involved, and I hope I have made everything as clear as possible."

He pinned the claim that the hackers know of 30 yet-to-be-fixed flaws in Firefox entirely on his co-presenter, Wbeelsoi. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not," Spiegelmock wrote. Wbeelsoi could not immediately be reached for comment.

The presentation at ToorCon caused a stir among Firefox developers. People worked through the weekend to investigate the issue, Window Snyder, Mozilla's security chief, said on Tuesday. Mozilla's bug-tracking website shows some evidence of that.

She said: "At this point, Mischa is co-operating with us, and we're pleased that he has decided to work with us but we're disappointed that so many people were spun up about this. It is an expensive operation in terms of resources and the individuals who lost time with their families over the weekend."

Based on the information Spiegelmock provided to Mozilla, the issue presented at ToorCon could still be a serious flaw but so far it looks like an innocuous crash, Snyder said. "We've got a potential issue but at this point it is essentially a reliability issue. We have not been able to demonstrate code execution," she said.

In his statement, Spiegelmock wrote that the presentation included "a previously known Firefox vulnerability". Snyder, however, said the potential issue is similar to an old bug but is different.

She said: "What they presented was a potential vulnerability. Whenever you see a crash you want to investigate it completely, to evaluate whether or not there is any security impact. We have not exhausted all the options, so we're going to work on it... The right thing for Firefox users is to take it seriously and not dismiss anything."

Snyder couldn't say whether Mozilla would issue a patch to fix the reliability issue and potential vulnerability, or address it in a future release of the browser. "I can't say at this point, it requires further investigation," she said.

Joris Evers writes for CNET News.com