Print this article  |  E-mail this article  |  Comment on this article

Firefox Flaw a Hoax, Admits Speaker

By Scott M. Fulton, III, BetaNews

October 3, 2006, 3:28 PM

One of the speakers at a Toorcon security conference session last weekend has admitted that claims he and an accomplice made regarding an "unfixable" flaw in Firefox, and a video of the two purportedly exploiting this flaw, were a not-so-elaborate hoax.

"The main purpose of our talk was to be humorous," admitted Mischa Spiegelmock, in a statement made through Mozilla.org this afternoon.

"As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

"I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code," Spiegelmock added.

A Mozilla spokesperson told BetaNews this afternoon, "Mozilla takes painstaking measures to maintain the security of Firefox, and immediately started investigating these reports these past weekend." The company's security chief, Window Snyder, posted a statement saying the company will continue to investigate further, assuming there's actually anything that needs to be investigated.

In an attempt to distance himself from his colleague, Andrew Wbeelsoi, Spiegelmock added today, "I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not." Evidently, the two did not coordinate their stories prior to their San Diego performance, let alone afterward.

Wbeelsoi's bio for the Toorcon session states that he "ruins things on the Internet professionally." There may be partial truth, at least, in that.

"I apologize to everyone involved," Spiegelmock closed, "and I hope I have made everything as clear as possible."

Add a Comment (66 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By brooklyn

edited Oct 4, 2006 - 11:10 AM

picture of this loosers
http://i.n.com.com/i/ne/.../1.CIMG1795_550x574.jpg

Score: 0

By powerof2

edited Oct 3, 2006 - 4:58 PM

Hackers are enough of a pain in the ass. Hackers who are liers are even more so.

Next we'll be hearing they've discovered cold fusion and stem cell cloning.

Score: 0

By covertrage

edited Oct 4, 2006 - 6:42 AM

Come now, people! It can't have possibly been serious enough to justify this length.

Not good.

Not good at all.

Score: 0

By Fackin' at incredibly high speeds

posted Oct 5, 2006 - 7:52 AM

Fackin' like a master.

Score: 0

By imafurby

posted Oct 4, 2006 - 5:29 PM

Does this fit the definition of "crying wolf"?

Score: 0

By GCoder

posted Oct 4, 2006 - 4:53 PM

Screwballs.

Score: 0

By 9i08

edited Oct 4, 2006 - 4:17 PM

I honestly cant figure out why ppl bother. Is their life so s.h.i.t, that they dont have anything productive to do with it?

Thank god i have something to live for
is all i say

Score: 0

By midnighter_9999

posted Oct 4, 2006 - 2:32 PM

i'm not able to go to any mozilla sites through any browser!!! Firefox doesnt update anything as well.....I've already dloaded and installed firefox 4 times [including RC1].... I use Spybot.....will that be creating the problem??

Score: 0

By wat0114

posted Oct 5, 2006 - 11:37 AM

If using XP, check your hosts file under c:\windows\system32\drivers\etc\hosts and make sure nothing Firefox related is being re-directed to 127.0.0.1

Score: 0

By midnighter_9999

posted Oct 5, 2006 - 12:03 PM

What should i open it with???

Score: 0

By Psychlone

posted Oct 5, 2006 - 9:09 AM

Dump your DNS by going to START > RUN then type in "CMD" without quotes, then type "IPCONFIG /FLUSHDNS" without quotes.

Score: 0

By midnighter_9999

posted Oct 5, 2006 - 12:08 PM

Still not working!! :-(

Score: 0

By The MAZZTer

edited Oct 4, 2006 - 11:34 PM

Several possibilities:

If this is a new issue that was not happening before:
- Your ISP is having problems. Try again in an hour or two.
- You might have malware which is blocking your ability to go to specific sites, including antivirus sites. If Spybot won't find anything, try Windows Defender and/or Ad-aware SE.

If this has always occurred:
- Possibly one of the above, but less likely. Check anyways, especially the malware one. Can't hurt.
- Your ISP is full of a-holes who blocked mozilla.

As a temporary workaround, search for web-based proxy services. You should be able to reach mozilla sites through those, although you might have a tough time finding one that goes at a decent speed.

Score: 0

By midnighter_9999

posted Oct 5, 2006 - 12:08 PM

Still not working!! :-(

Score: 0

By naman

edited Oct 4, 2006 - 7:49 PM

Um, I use Spybot As well, and it works great. Maybe try updating spybot(or reinstalling it) and then reinstall Mozilla. It worked for my cousin. Should work for you.

Score: 0

By midnighter_9999

posted Oct 5, 2006 - 12:07 PM

Still not working!! :-(

Score: 0

By Scotch Moose

posted Oct 4, 2006 - 2:48 PM

Sounds like a loose nut behind the keyboard.

Score: 0

By berolinux

edited Oct 4, 2006 - 2:22 PM

It would be interesting to dig into the background of this... Maybe I'm slightly paranoid, but I'm smelling a FUD (Fear, Uncertainty, Doubt) attack from a certain other browser maker that fears competition here, especially given Internet Explorer's recent and not so recent history of security flaws.

Making a statement about unfixable problems gets more attention and keeps in (both conscious and unconscious) memory longer than withdrawing it.

Score: 0

By DB69

edited Oct 4, 2006 - 2:03 PM

Stop being like the rest of the "gotta get the big
headline" media, and do some research and fact
checking first.

This is why Bush and the Baddies love the corrupt
and a** kissing media, they do all the spin and
shouting down of criticism for them.

Score: 0

By bourgeoisdude

edited Oct 4, 2006 - 3:10 PM

"This is why Bush and the Baddies love the corrupt and a** kissing media..."

Not trying to create political flamewars, but if you think Bush "loves" the "a** kissing" media, you would be gravely mistaken--have you seen any positive news about Bush recently, other than the few conservative newspapers left in the world?

Actually, why is it that everything has to be a political statement anyway? It doesn't make me think for a minute that it is normal for people to treat the President of the United States as a terrorist--it's not even 10% of the U.S. population I wager (no, illegal aliens don't count). The only problem is that the 10% have mouths 8 times bigger than their ears and they spread propoganda, as well as refusing to listen.

Let's stop talking about this anyway, this article's about Firefox, not Bush.

Score: 0

By bourgeoisdude

posted Oct 4, 2006 - 1:56 PM

That was quite an expensive joke. Mozilla had to take this seriously, so no doubt they spent many resources to investigate.

I think those two buttholes should pay Mozilla for all the money they spent investigating this phantom issue!

Score: 0

By Austin814

posted Oct 4, 2006 - 3:28 PM

Are you serious? If I claim elephants can fly should I be held liable for any costs someone else accumulates while trying to prove or disprove it? How about if I say the fountin of youth is located in Africa...should I also be billed by the people that go look for it? Again,lighten up.

Score: 0

By superlgn

edited Oct 9, 2006 - 7:35 PM

What an absurd comparison. One is within the realm of possibility, the other is not. One is presented at a conference that hosts discussions about issues facing the software/technology industry. Why would anyone have any reason to believe the presentation was complete and utter nonsense?

This hurts the Mozilla name, the Firefox brand, the presenters, their sponsors (if any) and employers. This wastes time and money.

Lighten up? Hell no.

Use your head.

Score: 0

By Spuckler

edited Oct 4, 2006 - 4:24 PM

As long as those elephants and fountains do not impact the credibility of someone else's business, then no, you don't. But, if your statements are derogatory towards someone's business and creates a mass-hysteria, then yes you should pay.

The poster has a valid point and I wouldn't be surprised if the two "pranksters" weren't sued for this.

Score: 0

By Austin814

posted Oct 5, 2006 - 9:30 AM

And that is why the rest of the world views the US as a sue-happy country. Sueing for anything and everything. Because everyone has so much pride that when someone says or does something that makes you look or feel like a fool for making something out of nothing instead of taking it on the jaw and learning from it, you sue instead to prove how it was not your fault, so that next time instead of being wiser, you can sue again. It couldnt just be..well we looked into it and it was nothing we could reproduce...no its someone made us feel stupid so lets sue them. Want to sue someone? Who not sue the media, they are really who made the "mass hysteria" by, as usual just making it a bigger story, not caring about if it was based on anything real.

Score: 0

By morriscox

posted Oct 10, 2006 - 4:16 PM

Go buy a dictionary and look up words like slander and defamation.

http://www.google.com/search?q=define%3Aslander

Score: 0

By masso4321

posted Oct 4, 2006 - 12:14 PM

I'm a fan of conspiracies but my opinion is that these two guys were paid from someone for denying their prior statements.

Score: 0

By Scotch Moose

posted Oct 5, 2006 - 10:17 AM

The truth is in the code.

Score: 0

By Scotch Moose

posted Oct 4, 2006 - 10:45 AM

"The main purpose of our talk was to be humorous,"

Ha Ha

The only funny bit was the reaction of the IE fanboys, like an Iraqi or a whipped dog when they finally get their chance all they want to do give back the abuse they suffered in the past.

Score: 0

By bek

edited Oct 4, 2006 - 9:22 AM

This is one of the dumbest and most irresponsible statements I've ever heard. This joker is risking Firefox's reputation, as well as his own, and may be liable as well. What an idiot.

Score: 0

By Austin814

posted Oct 4, 2006 - 9:48 AM

I think everyone needs to lighten up and then take a closer look at when this can teach you. Everyone latches on to whatever the media feeds you without researching it on your own. The media runs with everything, true or not it just broadcasts an annoucment loud. Its that way with politics, the war, oil prices, the economy....and software bugs. Stop believeing everything you read...do a little research.

Score: 0

By huttman

posted Oct 4, 2006 - 12:09 PM

not to mention the media tells the public what "they" want to tell you, not what you need or "should" know. personally, i dont like someone else deciding whats important for me to know. Just tell it like it is, dont make sh** up

Score: 0

By rnap@aapt.net.au

edited Oct 4, 2006 - 9:13 AM

Firefox was recommended to me by the builder of my PC and I have full confidence in him. To have a wannabe commedian like Spiegelmock in a conference, trying to be funny, can do a lot of damage, as the first thing I did was to re-install IE (and how many more people). Spiegelmock should be severely punished

Score: 0

By Real1tyczech

posted Oct 4, 2006 - 9:37 AM

as the first thing I did was to re-install IE

How did you "un-install" it in the first place?

Score: 0

By Fackin' at incredibly high speeds

edited Oct 4, 2006 - 1:42 PM

He uses LINUX!!! Therefore, he installed IE in wine.

Score: 0

By Class56guy

edited Oct 4, 2006 - 8:33 AM

In this society we seem to be surrounded by ignorance and irresponsibilty of our "professionals".
Mozilla is the best thing since sliced bread of serious users.

Score: 0

By cannie

posted Oct 4, 2006 - 3:13 AM

No hoaxes about this, please! Those who work for us for free, including Betanews, must be paid with our respect and gratitude.

Score: 0

By GBH

posted Oct 3, 2006 - 11:17 PM

They must have been desperate for speakers at that convention.

Maybe these guys could go work for Sony in their Battery design department, sounds like they will fit in.

Score: 0

By zridling

posted Oct 3, 2006 - 10:34 PM

Back in my day, we'd pop a cap in these hoaxsters' knees and then ask them how funny it was. Firefox can stand or fall on its own merits, without jerks making crap up.

Maybe we should blame the reporters/bloggers/etc. for posting this lie before it could be verified.

Score: 0

By srdiamond

edited Oct 4, 2006 - 4:25 AM

Horrible, isn't it? How could they make fun and make light of something so deadly serious as a browser named ... 'Firefox.' If someone isn't serious about the Fox, he isn't serious about anything!

The joke exposed one reality that had obviously been pushed under the rug by Mozilla. The javascript module is ancient, so ancient that flaws in it probably cannot be patched. That seems like an important fact, and it should be analyzed with respect to the contentious issue of just how viable Open Source will, in the end, turn out to be. I'm not an IT professional -- not by any means -- but intuitively does it not appear that this is just the sort of intractable potential issue you would expect in a product that grows organically, without heavy "central planning"?

To me, the jokesters revealed just how deep is the unknown in a complex Open Source product like Firefox, and they exposed the analytic superficiality of those experts who endorsed FF simply based on how well the browser seems to function at the moment.

Score: 0

By morriscox

posted Oct 4, 2006 - 11:35 AM

"To me, the jokesters revealed just how deep is the unknown in a complex Open Source product like Firefox..."

And what about how deep the unknown is in closed source products?

Score: 0

By Desides

posted Oct 4, 2006 - 6:15 AM

Except... nothing has been exposed. Nothing came of this except an overreaction on the part of bloggers, news sites, and comments like yours.

Score: 0

By srdiamond

posted Oct 4, 2006 - 6:15 PM

The head of Mozilla Security admitted that if the flaw existed in the javascript component, it could probably not be patched. The general understanding of this limitation in Firefox seems a lot more important than the existence of a specific flaw.

Score: 0

By Desides

posted Oct 4, 2006 - 9:52 PM

"The head of Mozilla Security admitted that if the flaw existed in the javascript component, it could probably not be patched."

I've kept up with this issue and haven't seen an instance in which the flaw was said to be unpatchable by anyone but the hoaxster.

Score: 0

By srdiamond

posted Oct 6, 2006 - 3:36 AM

Window Snyder is widely quoted as saying, ""If it is in the JavaScript virtual machine, it is not going to be a quick fix..."

Nothing is literally unfixable. A patch differs from a partial rewrite in that a patch is a "quick fix." Thus the admission was obtained that if a flaw existed in the javascript, it would probably not be patchable. No one that I'm aware of has admitted this previously, and it certainly had not previously come before the public eye. It looks to me that this class of vulnerability had been largely swept under the rug by Mozilla.

Score: 0

By GS5

posted Oct 3, 2006 - 4:58 PM

I knew it, I didn't buy that sh!t for one minute. There were just too many conflicting reports.

Which means Firefox still the most kicka$$ browser on the planet:-) LOL

Score: 0

By Mark Gillespie

posted Oct 3, 2006 - 5:17 PM

They did manage a DoS exploit, just not code execution, don't b so smug, it's only a matter of time before someone does find more holes in the creaking browser...

Score: 0

By GS5

posted Oct 3, 2006 - 7:43 PM

Is there really any browser that isn’t susceptible to a DoS exploit? And finding holes is not a bad thing. It only helps to make the software more secure. I know you're disappointed that Firefox is more secure than IE, Opera etc... :-) But hey, that's life! LOL

Score: 0

By Desides

posted Oct 3, 2006 - 6:48 PM

Seriously, Mark, why do you publically hate on Firefox so much? You like Opera. That's cool. Use it, be happy, and leave the flamewars to idiots.

Score: 0

By Mark Gillespie

posted Oct 4, 2006 - 3:57 AM

I don't dislike anything really, apart from inaccurate reporting, that leads people into a false sense of security...

Score: 0

By Desides

posted Oct 4, 2006 - 6:16 AM

I'm pretty sure that in this case, the inaccurate reporting led to a sense of INsecurity.

Score: 0

By Joe Dirt

posted Oct 3, 2006 - 4:18 PM

Idiot kids. They have no business in this industry.

Get a real job you "hoax-sters".

Mozilla kicks ass.

Score: 0

By srdiamond

posted Oct 4, 2006 - 6:31 PM

Characterizing this as a hoax is unfair. "Spoof" would be a better description. Reports of the conference suggest actual participants understood this. Those who condemn the presenters so severely probably have not verified that the presenters failed to provide advance notice that their presentation was not serious. If you look at this notice of the talk, will you remain so uncharitable in your regard: http://www.toorcon.org/2006/conference.html?id=13

Score: 0

By westonc

posted Oct 3, 2006 - 3:57 PM

What if they got it to work and thought..."hey you idiot why did we tell everyone we could just use to it make lots of untraceable money?"

OH...yeah....it was all a hoax...don't be trying to fix it or recreate the code execution because it "doesn't exist".

Either that or the mafia found out and threatened them to hush it up so they could make all the money...

Something smells...

Score: 0

By Desides

posted Oct 3, 2006 - 4:42 PM

"Something smells..."

It's called "caution." Would you prefer Mozilla not do their damndest to make sure that there really aren't any security holes? I suspect you'd then get on here and bash Mozilla for allowing security holes to slip through.

Score: 0

By IceyKola

posted Oct 3, 2006 - 5:39 PM

What did the post have to do with Mozilla? It was about the "hoaxors" trying to take back what they said so they can try to keep the hole open. Mozilla is smart to keep looking, just in case, but it wasn't at all a stab at Mozilla. It was a funny comment, and actually what I was thinking too.

Score: 0

By Desides

posted Oct 3, 2006 - 6:49 PM

The post had the following quote to do with Mozilla:

"don't be trying to fix it or recreate the code execution because it "doesn't exist"."

This is a reference to Mozilla's statement that despite the revelation of this as a hoax, they are still testing to see if an exploit is possible.

Score: 0

By IceyKola

posted Oct 4, 2006 - 10:29 AM

I understood that to be part of the joke. Westonc is saying that would be coming from the "hoaxers" to Mozilla.

Score: 0

By orizng

posted Oct 3, 2006 - 4:00 PM

haha, lol, thats funny

Score: 0

By Heero

posted Oct 3, 2006 - 3:56 PM

The kind of kids that give hard working computer security experts a bad name.

Notice the 'not' use of hackers. =P

But also, good to see Mozilla working so hard. =)

Score: 0

By Jordanr05

edited Oct 3, 2006 - 3:47 PM

Easily two of the biggest f***in' nerds i've ever read about. Clearly neither has any common sense... Damnit stories like this piss me off.

On a positive note, kudos to Mozilla for taking every step possible to make sure there wasn't actually a problem.

Score: 0

By drumcat

posted Oct 3, 2006 - 3:41 PM

Because OSS needs this kind of rep...

Score: 0

By tnculp

posted Oct 3, 2006 - 3:55 PM

Ok, it has to be said...OSS is not perfect. Even all of you OSS fanboys know that open source has potentially as many flaws as any proprietary software. It just has to be widespread enough before they start pouring out.

Score: 0

By drumcat

posted Oct 3, 2006 - 4:16 PM

Why are you calling me a fanboy? i'm saying something made on the cheap needs its rep to compete with "pro" products.

Score: 0

By Banquo

edited Oct 3, 2006 - 3:46 PM

Morons, let them see if anyone ever takes them seriously again in their lives.

Score: 0

By truepanel

edited Oct 3, 2006 - 4:52 PM

Wait til mom kicks them out of the basement. See if they have any luck getting a job to pay for acne medication and maxim subscription.

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal