Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Zero-Day Code Execution Hoax?

kdawson posted more than 7 years ago | from the shouting-fire-in-a-crowded-fox dept.

215

Akon writes, "eWeek is running a follow-up story on the claim by two hackers that Firefox's implementation of JavaScript is critically flawed and could result in code-execution attacks. Turns out this is a possible hoax that was overblown for laughs." Mozilla's engineers say the risk is limited to a denial-of-service issue. From the article: "'As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code,' Spiegelmock said." Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.

cancel ×

215 comments

Sorry! There are no comments related to the filter you selected.

Great!! (3, Funny)

zappepcs (820751) | more than 7 years ago | (#16294727)

The first time that I actually started to worry that FF might have a problem, and that I should be careful, it turns out to be a hoax. I don't know whether to be happy about this or not?

Re:Great!! (4, Funny)

creimer (824291) | more than 7 years ago | (#16294879)

Be happy. It could've been worst and happen on Internet Explorer instead.

Copy and Paste is not a Hoax (1)

The_Abortionist (930834) | more than 7 years ago | (#16294899)

The Firefox team should stop thinking about adding new features in order to just take away market share from IE and start doing the basic things: perform security reviews and fix the COPY AND PASTE.

Maybe the developers seek fame (for themselves or their product) but have no substance?

Re:Copy and Paste is not a Hoax (1)

Billhead (842510) | more than 7 years ago | (#16295319)

Fix the copy and paste? In both Windows and Linux it works fine for me.

Re:Copy and Paste is not a Hoax (1)

EzInKy (115248) | more than 7 years ago | (#16295535)


Fix the copy and paste? In both Windows and Linux it works fine for me.


I'm scratching my head too. Just to test things out I just copied and pasted from web page to location bar, web page to editor, web page to konsole session using either the mouse or keyboard shortcuts. Everything worked as expected, including shift-insert.

Re:Copy and Paste is not a Hoax (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16295687)

I recommend looking at this as a start:

http://forums.mozillazine.org/viewtopic.php?t=4051 51 [mozillazine.org]

There seems to be 2 bugs related to copy and paste.

Re:Copy and Paste is not a Hoax (1)

gEvil (beta) (945888) | more than 7 years ago | (#16295715)

I've encountered this bug a number of times under Firefox for Windows. Copying/pasting text from the address bar and/or webpages will work fine for hours, and then out of nowhere it will just stop working until I quit then restart Firefox. I run into this probably once every few weeks. However, I've never been able to find any rhyme or reason behind it. All I can say is that it does happen.

Re:Copy and Paste is not a Hoax (0)

Anonymous Coward | more than 7 years ago | (#16295817)

I've had this issue frequently. At least once or twice a day I will be unable to copy/paste something into the address bar of firefox. It will take 2 or 3 attempts, and suddenly it starts working again. Like parent, I've been able to find no particular reason it breaks when it does, nor what fixes it.

Re:Copy and Paste is not a Hoax (0)

Anonymous Coward | more than 7 years ago | (#16296119)

When this happens, the location bar - although appearing focused - doesn't really have focus. Hit F6 to shift the focus and make copying work again.

It's a very frustrating bug, the more so because it's pretty much impossible to reproduce and thus fix. If you ever stumble upon exact steps that make this reliably reproducable, please report a bug with those steps at bugzilla.mozilla.org

Memory Hog Hoax (-1, Troll)

bunratty (545641) | more than 7 years ago | (#16294731)

Maybe we could debunk the Firefox is a memory hog [mozillazine.org] hoax, too.

Sorry, that one's not a hoax (0)

Anonymous Coward | more than 7 years ago | (#16294965)

Somebody may have some anecdotal 'evidence' that they ran it with a small memory print but generally Firefox will bloat to several hundred MB and keep climbing unless you close it completely and restart it. Don't go blaming it on extensions either, that's a cop-out that wouldn't fly if it was MS doing it.

Re:Sorry, that one's not a hoax (1)

thrashaholic (995412) | more than 7 years ago | (#16295115)

"Several Hundred MB" ?? Hardly.

Granted, it takes up a nice large chunk of memory on my system with shit loads of tabs open, ForecastFox running (and a half dozen other plugins), but several hundred MB?? No.

Even if I leave it open for days on end with a dozen tabs open it barely breaks 100MB. That's a far cry from several hundred.

Re:Sorry, that one's not a hoax (1)

CynicalWulf (937950) | more than 7 years ago | (#16295221)

So thats why after an hour (from top): 6727 user 15 0 399m 225m 22m S 0 11.2 4:18.79 firefox-bin and if I leave Firefox running on my work machine (XP SP2) overnight, it uses 800Mb of memory and about 1.5Gb of swap??

Re:Sorry, that one's not a hoax (1)

thrashaholic (995412) | more than 7 years ago | (#16295665)

Guess I'm just lucky then? I didn't say it wasn't a huge memory hog (Takes up twice as much memory as VS 2003 while debugging), just that I've never experienced anything NEAR 800M and 1.5Gb of swap?!

Re:Sorry, that one's not a hoax (2, Interesting)

Ja'Achan (827610) | more than 7 years ago | (#16295253)

http://www.mozilla.org/projects/seamonkey/ [mozilla.org] Seamonke y is currently using 351 MB of memory, according to Windows Taskmanager. That's after 5 days of uptime, and no exception. I know, it's not Firefox, but I suppose there is a large code base shared.

Re:Sorry, that one's not a hoax (1)

thrashaholic (995412) | more than 7 years ago | (#16295815)

That's weird because almost everyone else here is saying that Seamonkey doesn't have that problem. Still, I've never seen this 800Mb of RAM and 1.5Gb of swap like some others are claiming, and I have 6-12 tabs open 24/7 on Win2k3 and hardly ever close firefox or reboot. *shrugs* YMMV I guess.

Re:Sorry, that one's not a hoax (0)

Anonymous Coward | more than 7 years ago | (#16295401)

"Several Hundred MB" ?? Hardly.
It's happened to me, twice: my Linux box has 1/2GB RAM, same amount of swap. Very little of that is claimed by apps - maybe 400MB.

Twice I've had Firefox expand to consume so much memory that it ate up all my swap, causing the HD to thrash like crazy. Worse, I wasn't even using it at the time - I'd left it running with Firefox open, and come home to seeing my harddrive being tortured! It took ages to kill the firefox-bin process, but after that, my box breathed a sigh of relief :)

This was in the 1.0.7 days, though - it's not occurred with 1.5.x, although I can effortlessly bump that up to 150MB, close all tabs, and see no RAM ever relinquished back to the OS. It's either a bunch of leaks or severe fragmentation.

I've since switched to Konqueror and, though it makes for a fairly lousy browser shell, the memory management is comparatively superb - I rarely go over 100MB, and closing tabs actually reduces the RES amount (and yes, it's all fully paged into RAM). The main disappointment with Konqueror is it's appalling CPU usage with GIF handling - I very frequently have to use the Stop Animations option to stop my laptop roasting my nuts off! :)

Re:Sorry, that one's not a hoax (1)

ehrichweiss (706417) | more than 7 years ago | (#16295511)

The instance I'm running right now(with very few extensions installed, I might add) that has been running(idling mostly) for about 12 hours is already at 102meg and once I start using it again, it'll soon jump over 200 meg easily. If I restart it, it'll start around 40meg and then within 10 minutes(without me doing much more than visiting google) it'll be around 80meg again. I can repeat this time and time again without fail. Eventually it starts hogging enough that it requires another restart. I might get a whole 24 hours out of one instance before a restart is require IF I don't use it that often, usually 6 hours of use equals at least one restart of FF. Mozilla Suite(Seamonkey?) never used more than 80 megs with everything running so this is a bit confusing at this point.

Re:Sorry, that one's not a hoax (1)

Tim C (15259) | more than 7 years ago | (#16295645)

All I can do is throw an anecdote at your anecdote, but the day before yesterday I had FF taking up 759MB of RAM after a day or so of idling, followed by an hour or so of actual use.

That's unusual, I'll grant you, but I regularly see FF using 150-200MB of RAM. It's gotten to the point now where I rarely bother checking; I just shut it down every day or two on general principle.

Re:Sorry, that one's not a hoax (0)

Anonymous Coward | more than 7 years ago | (#16295841)

I dunno man.

http://img178.imageshack.us/img178/9831/screenvi4. jpg [imageshack.us]

That's the lower end, it can double if left up long enough.

Re:Memory Hog Hoax (1)

cascadingstylesheet (140919) | more than 7 years ago | (#16295189)

>Maybe we could debunk the Firefox is a memory hog [mozillazine.org] hoax, too.

We could if it *were* a hoax. Since it's reported by decent folk all over the place, I don't think we can.

If the problem really is just extensions, then Mozilla *still* needs to do something about it. Don't list them on the official extensions list until they are fixed. As somebody in the thread you linked to mentioned, what's the point of using FF if you can't use extensions?

Re:Memory Hog Hoax (1)

Captain Splendid (673276) | more than 7 years ago | (#16295473)

If it's not a hoax, it's fucking close to one. Sure, back in the 1.x days, problems ensued, but post-1.5 Firefox is freaking ridiculous with the amount of punishment it can take (and i sure do love dishing it out.)

Re:Memory Hog Hoax (1)

cascadingstylesheet (140919) | more than 7 years ago | (#16295617)

>So, I don't understand what the point is,

The point of what?

The situation is: lots of people complain about FF memory usage to this day, including 1.5+, how the memory usage grows over time while the program is open and being used. FF developers say "no it doesn't!" or "it's the extensions' falut!"

My point is, even if it is the fault of extensions, at a minumum FF needs to respond by not listing these extensions on their official list on their website. For many, many users the whole point of using FF is to be able to use various extensions. It does no good to say "the base browser is fine", when it comes to public perception of this problem. Any more than it did MS any good to say "it's the third party drivers causing the blue screens!" So point us to the extensions that *don't *leak. Or at a minimum don't point us to the extensions that *do* leak.

Re:Memory Hog Hoax (1)

gEvil (beta) (945888) | more than 7 years ago | (#16295201)

Have the Debian folks come up with a new name for Firefox yet? If not, I suggest Firehog.

Re:Memory Hog Hoax (0)

Anonymous Coward | more than 7 years ago | (#16295203)

firefox.exe: 101,148 KB

That's since I've started running it this morning, a good five hours ago. I expect a browser to make it through a work day without restarting.

Not a memory hog my ass.

The fun thing is that it keeps on going up as I type this. And keep in mind that's to the nearest kilobyte, this post doesn't contain much more than 1-2KB of text, and it's gone up an entire MB! (Whoops - more than 1MB now.)

NoScript (1)

BadAnalogyGuy (945258) | more than 7 years ago | (#16294743)

The NoScript extension is like a firewall for your browser. I install it on every computer I can lay my hands on.

Re:NoScript (1)

nebulous_afterthough (943262) | more than 7 years ago | (#16294871)

You obviously don't use GMail, Google Calendar, and the like. Then again, I used them until Google upgraded something and they no longer displayed correctly with FF on OpenBSD. Ah well.

I do have to say that I find the title querying about a hoax encouraging. My curiousity was tweaked, but not much more. Had the title included IE, I would have started sweating yet again thinking of my clients and then servers tipping over like Dominos. And that's after the monthly patch grind I already endure...

GMail and JavaScript (2, Interesting)

Kadin2048 (468275) | more than 7 years ago | (#16295017)

You obviously don't use GMail,

You can use GMail just fine without JavaScript. It complains and writes you a message at the bottom of every page saying something like 'To take full advantage of Gmail, use a supported browser...'

It does however still work just fine without it.

Re:NoScript (2, Informative)

gorre (519164) | more than 7 years ago | (#16295079)

You obviously don't use GMail, Google Calendar, and the like.
With NoScript one can designate sites that are allowed to run javascript, it's just that it is disabled by default. I use NoScript and have simply whitelisted google.com and any other trusted sites that require javascript.

You trust Google? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16295155)

You are a fucking idiot.

Re:NoScript (1)

kwark (512736) | more than 7 years ago | (#16295121)

If you had bothered to take a look at noscript you would have found the whitelisting feature for trusted hosts.

Re:NoScript (4, Funny)

TheRaven64 (641858) | more than 7 years ago | (#16295101)

But...

But...

Web 2.0!

*splutter*

Re:NoScript (1)

Ant P. (974313) | more than 7 years ago | (#16296029)

NoScript is a feature Firefox should have had from day one, and IE has had for over 10 years.

Not surprised. (1)

Fordiman (689627) | more than 7 years ago | (#16294749)

Neither am I.

Re:Not surprised. (2, Funny)

Jugalator (259273) | more than 7 years ago | (#16295659)

I bet you have few friends. :-(

It's all fun and games until someone gets hurt (2, Insightful)

davidwr (791652) | more than 7 years ago | (#16294755)

Or until someone wastes time taking you seriously.

Yelling "bomb" in an airport isn't funny. Neither is this.

Next time, make it painfully obvious you are joking so people don't waste valuable time.

Re:It's all fun and games until someone gets hurt (5, Interesting)

Anonymous Coward | more than 7 years ago | (#16294889)

It was painfully obvious to anyone at the presentation that the whole thing was a joke. It was the best presentation I saw at Toorcon just for the hilarity factor. If they were talking at any other convention I'd go see them again.

Most of the press got the joke, laughed, and ignored it. It was some tool at CNET's fault for compromising his journalistic integrity and reporting satire as fact that caused the problem.

Then it wasn't painfully obvious enough (5, Funny)

davidwr (791652) | more than 7 years ago | (#16295069)

If the CNET folks didn't get it, the panel should've made sure they did.

Any prank like this NOT done on 1 April needs to end with "and for those of you who left your sense of humor at home, the preceeding presentation was 100% pure entertainment and any resemblance to reality was purely to tweak your nose. Please stay for the next panel on novel approaches to perpetual motion. Thank you."

I don't think it was a "joke". (3, Insightful)

khasim (1285) | more than 7 years ago | (#16295007)

I think that these two were looking for a little fame ... and did not realize how the professionals would react to their claims.

Once they realized that the professionals (who are better programmers than they) were looking into their claims, they fell back on the "it's a joke" claim.

Re:I don't think it was a "joke". (1)

BeeBeard (999187) | more than 7 years ago | (#16295053)

That's an interesting theory. They're either guilty of being fame-hungry alarmists, or creepy, untalented kids with a bad sense of humor. Either way, they need a cardboard tube beating.

Re:It's all fun and games until someone gets hurt (4, Insightful)

Kelson (129150) | more than 7 years ago | (#16295501)

The way this went down reminds me of an event from high school. Now, to put this in perspective, it was probably 1993, so about 5 years before Columbine.

There was a drama festival that our school attended each year, held at a nearby college. One year, one of our scenes involved prop guns. One of my classmates took one of the fake guns up onto a balcony, stood on the railing, and pretended he was going to shoot himself. Big surprise, campus security showed up, assuming he had a real gun and was really going to blow his brains out. The next year, the festival banned prop weapons. IIRC if you had a scene that needed them, you could sign up to use *their* props, which would be provided for the particular scene.

Had he done the same thing on stage, introduced as a monologue he had written, with people aware the gun was a prop, no one would have freaked out.

Back to the Firefox panel, I don't know how clearly this presentation was labeled as humor. But all it takes is someone who doesn't have the full context to take it seriously -- and security people have to take threats seriously, at least long enough to investigate and find out that the gun is just a prop.

Suicide on stage (0)

Anonymous Coward | more than 7 years ago | (#16295585)

When I was in my teens, a local high school student killed himself on stage during theatre practice.

From what I heard, he intentionally sneaked a real gun in place of a prop so he could go out with the cast watching.

This was a long time ago.

...crash and eat up system resources... (5, Funny)

RHIC (640535) | more than 7 years ago | (#16294757)

No change there then.

Moo (1, Flamebait)

Chacham (981) | more than 7 years ago | (#16294759)

So, let me get this straight. Microsoft opens the code for their browser and lets people look at it, and submit "patches". All patches must go through a slow for approval (for good code) process. Anyone who releases it on their own is sued for copyright violations. And anyone who reports a bug mysteriously reports the next day it was a hoax and a joke.

I want this Microsoft FUD to stop right now!

oh, wait, this is Mozilla? Err.. umm...

I wholly support Mozilla Corparation's moves in the Open Source community, they are right in this case, and anyone who goes against them is against successful open source projects.

Re:Moo (5, Interesting)

masklinn (823351) | more than 7 years ago | (#16294861)

Anyone who releases it on their own is sued for copyright violations.

Actually not, it's trademark violation, and it's only if you release it under the name of "firefox". Call me the day when I can fork Internet Explorer and release my patched version as "Intarweb Implorer" without getting sued though.

Re:Moo (1, Funny)

Anonymous Coward | more than 7 years ago | (#16295469)

> "Intarweb Implorer"

Hey I think you found Debian's new name for Firefox.

Re:Moo (0)

Anonymous Coward | more than 7 years ago | (#16294901)

make sense or shut up

Never believe anything without a second source (3, Insightful)

Opportunist (166417) | more than 7 years ago | (#16294765)

And, this should noted, this should NOT be limited to security exploits and hoaxes. It's twice as true for news that really matter. Too many people want to believe what they hear as long as it fits their personal point of view, without even questioning whether something is true or not.

As long as it fits into their view of the world, it becomes true for them and they perpetuate the lie.

Re:Never believe anything without a second source (5, Funny)

gEvil (beta) (945888) | more than 7 years ago | (#16295127)

Never believe anything without a second source

Anyone want to reiterate what he said so we can know that we should believe him?

Re:Never believe anything without a second source (4, Funny)

chroot_james (833654) | more than 7 years ago | (#16295163)

I'll back him up. Kind of. I propose requiring a third source. Anyone want to reiterate?

Re:Never believe anything without a second source (1)

bogie (31020) | more than 7 years ago | (#16295471)

I disagree. Now you still have to find a 3rd source to agree with you and 3 sources to discredit me. And of course I just got off work so I have all day long to disagree with those who disagree with me in the first place. Better put on a cup of coffee. :-)

Re:Never believe anything without a second source (0)

Anonymous Coward | more than 7 years ago | (#16296087)

Don't worry. He was just hoaxing.

Re:Never believe anything without a second source (2, Insightful)

Billosaur (927319) | more than 7 years ago | (#16295167)

Does that include the article saying it was a hoax? What are we to believe?!?!?

Re:Never believe anything without a second source (1)

Opportunist (166417) | more than 7 years ago | (#16295227)

Simple. The next credible source talking about it. And since it's disputed, it might be a good idea to wait for a third source before believing it.

Then again, seeing is believing. If someone produces a reproducable proof, that's good enough for me.

Re:Never believe anything without a second source (1, Informative)

Anonymous Coward | more than 7 years ago | (#16295993)

From Mozilla Dev News Blog [mozilla.org]

We got a chance to talk to Mischa Spiegelmock , the Toorcon speaker that reported the potential javascript security issue referenced earlier [mozilla.org] . He gave us more code to work with and also made this statement and agreed to let me post it here:

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.

Sincerely,

Mischa Spiegelmock

Even though Mischa hasn't been able to achieve code execution, we still take this issue seriously. We will continue to investigate.

-Window Snyder

Microsoft link? (4, Interesting)

masklinn (823351) | more than 7 years ago | (#16294775)

This is to be taken with a grain of salt and not as a proof of anything until further inquiries, but since it's going to be posted anyway it may as well be posted with some warnings:

A blog called Geemondo [blogspot.com] also reports that Mischa Spiegelmock seemed to have had dinner with Microsoft guys. [2y.net]

(PS: mods, if you want this post to be seen without me karma whoring, just mod it funny)

Re:Microsoft link? (1)

BlindRobin (768267) | more than 7 years ago | (#16295181)

really ? now this is a surprise....

God he's ugly (0)

Anonymous Coward | more than 7 years ago | (#16295279)

He ain't so easy on the eyes, is he. Oh wait, I should be careful. He might not hack my browser! Nooooooooo!

Assholes! (1)

BeeBeard (999187) | more than 7 years ago | (#16294801)

Now I don't feel so bad for making fun of their last names!

You get the tar... (0)

Anonymous Coward | more than 7 years ago | (#16294823)

I'll bring the feathers.

Not a funny joke (4, Informative)

loconet (415875) | more than 7 years ago | (#16294831)

There is also a post about this on the Washington Post [washingtonpost.com] . Apparently, they were just having fun?

If I was Alistapart, I would have gotten rid of this "clown" immediately.

Firefox is self-important slobware (1)

AssCork (769414) | more than 7 years ago | (#16294833)

I laugh at the incredulous panic that this hoax creates. If you stop a minute to analyze (and maybe comb the crumbs from your disgusting neck beard) you would realize this means very little to 99.8% of the computing world - those of us with spouses.
Oh and I don't count Apple fags as computer users.

Now I get to laugh (1)

SuperStretch (1005515) | more than 7 years ago | (#16294867)

at all my peeps who are pro-IE. They bashed me with this zero day thing till kingdom come and now I get to throw this back in their faces. Funny... I get to do the same thing about the Buffalo Bills.

Re:Now I get to laugh (1)

dedazo (737510) | more than 7 years ago | (#16295049)

To anyone who is "pro-IE", I always show them Firefox with AdBlock. That gets them every time.

IE can be used safely if it is patched and you don't have the habit of visiting random websites (most people visit only a handful of sites anyway), but FF+AdBlock simply trumps everything else. I know about Proxomitron and all the other solutions for IE, but they simply can't come close to AdBlock.

Paired with a few other must-have extensions like TabMix Plus and CustomizeGoogle, I will happily live with Firefox enormous memory bloat.

Insulting people and telling them that their choice in software is crap accomplishes nothing. Show them the alternatives and you'll make a difference.

Today I use IE primarily for the occasional Flash-heavy site I have to visit, or for things like OWA. Other than that it mostly goes unused.

Re:Now I get to laugh (1)

SuperStretch (1005515) | more than 7 years ago | (#16295173)

Well these are friends of mine who have debated this point since ... Firefox was beta. Gloves came off a long time ago. But seriously, they are good friends. Just infected friends. Friends that need salvation.

I run Nuke anything Enhanced, Master Password Timeout, Switchproxy, Adblock, IE tab, FDM plugin, and Google Notebook.

Re:Now I get to laugh (1)

dedazo (737510) | more than 7 years ago | (#16295261)

You know, I just realized I sort of implied that you were "insulting" your friends or something - sorry. I'm sure that's not the case =)

It all comes down to using the right tools for the job. For a while now Firefox has been the right tool for browsing the web on Windows, in my opinion. Maybe that will change later when IE7 is released. Who knows.

Re:Now I get to laugh (1)

SuperStretch (1005515) | more than 7 years ago | (#16295325)

It all depends on if Microsoft focuses on security first. All too often they make user-friendliness (respectably) priority and play catch-up. But this is preaching to the choir.

Re:Now I get to laugh (1)

masklinn (823351) | more than 7 years ago | (#16295735)

It all comes down to using the right tools for the job.

A baseball bat is always the right tool for the job of convincing people that your views of the world are better than theirs.

FTA: Meant "to be humorous" ?? (1)

BeeBeard (999187) | more than 7 years ago | (#16294873)

Are nerds really that unsocialized that something like this qualifies as humor?

Re:FTA: Meant "to be humorous" ?? (1)

SuperStretch (1005515) | more than 7 years ago | (#16294943)

I guess its sort of like a friend saying that you have a humongous zit, and when you go to look in the mirror, he says.. just joking.

Re:FTA: Meant "to be humorous" ?? (1)

AssCork (769414) | more than 7 years ago | (#16295123)

Only in this case - they actually have a zit. You are talking about nerds, remember?

What a shock (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16294895)

The skillless losers from Bantown whose purpose in life is to stir up pointless drama don't actually have any real exploits? Surprising.

No way! WTF? (0)

Anonymous Coward | more than 7 years ago | (#16294917)

Turns out this is a possible hoax that was overblown for laughs

Knee jerk reactions and FUD just doesn't happen here on slashdot. We have cooler heads than that.

Moo (5, Funny)

Chacham (981) | more than 7 years ago | (#16294919)

FireFox has no exploits. All exploits are actually in IceWeasel [slashdot.org] , to avoid legal action from Mozilla [slashdot.org] .

In other news, Microsoft has said thet their version of Genuine Internet Explorer has no bugs, and any bugs, must be due to a bad download, or user tampering. As such, all user installs of Internet Explorer will be renamed to "Meshed-Screen Interpolated E-reader" (MSIE for short), and will subsequently be subject to licensing fees.

FireFUD (1)

Foofoobar (318279) | more than 7 years ago | (#16294969)

Let the speculation about whether this was FUD funded by our favorite Redmond-ians begin

Libel (1)

DonMesserli (848992) | more than 7 years ago | (#16295005)

So-called security experts who lie about exploits and vulnerabilities need to be held liable for their statements. Their remarks were libelous whether they were done in jest or not.

They need to be made an example of...

Re:Libel (1)

wild_berry (448019) | more than 7 years ago | (#16295509)

I saw your call and I'm here with my flaming torch and pitch fork. Where's the rest of the lynch mob?

Re:Libel (1)

jbeaupre (752124) | more than 7 years ago | (#16295911)

Or is it really slander? Either way, the Mozilla Foundation might not thing the prank is very funny and decide to spank these guys.

he hasn't gotten it to do so? (3, Insightful)

Lord Ender (156273) | more than 7 years ago | (#16295055)

It takes a very rare and specific skill set to write a memory corruption exploit. The fact that one person was unable to go from overflow to arbitrary code execution proves absolutely nothing about whether doing so is possible.

Re:he hasn't gotten it to do so? (3, Informative)

AlgorithMan (937244) | more than 7 years ago | (#16295277)

The fact that one person was unable to go from overflow to arbitrary code execution

of course big, complex programs (like a JavaScript VM) have errors, if you want proof, you have to make a hoare calculus http://en.wikipedia.org/wiki/Hoare_logic [wikipedia.org] for the source code and beleive me, this is really really much work! - - - but this alleged error seems to be nothing but posing...

part of my answer missing (1)

AlgorithMan (937244) | more than 7 years ago | (#16295669)

strangely a part of my answer to your post disappeared...
The fact that one person was unable to go from overflow to arbitrary code execution proves absolutely nothing about whether doing so is possible
but it was the person who claimed he could use the overflow to execute arbitrary code... it's no proof that it wasn't possible to do that, but at least it's also no proof that it was possible (like he claimed)

Real Names? (0)

Anonymous Coward | more than 7 years ago | (#16295089)

Andrew Wbeelsoi is an anagram for Barelee (barely) Windows or A Windows Rebel (extra e).
Mischa Spiegelmock is an anagram for "Im lame. Check gossip."

Odd.

I'm not buying it (0)

Anonymous Coward | more than 7 years ago | (#16295105)

Seriously, I'm not.

Colour me paranoid, but this looks like Spiegelmock got a call from the spam/botnet mafia: "We know where you live. Deny everything, or else...".

Remember, if it was IE it's a Feature (1)

WillAffleckUW (858324) | more than 7 years ago | (#16295119)

If it's Firefox it's a bug.

Features don't get fixed unless they're in danger of being sued. Bugs get fixed as people can get to them.

Now they're trying extortion? (0)

Anonymous Coward | more than 7 years ago | (#16295125)

Now people claiming to "represent wbeelsoi" [burntelectrons.org] are claiming that despite Spiegelmock not knowing about it, the 30 exploits are real, and it looks like they're even trying to extort MoCo for $50K?

Nearly installed Opera last night... PHEW (1)

chroot_james (833654) | more than 7 years ago | (#16295129)

I didn't want to, but I want my system secure. It was hard to resist the timing of this and the quote they have from Mr. Schneier [schneier.com] on their page [opera.com] .

I have used the Opera browser for years, and I am very happy with it.


I must say, the reason I wanted to avoid Opera is not because of the software itself. It's the political reasons. I don't lose very much by staying with FireFox, who's open source ideals I agree with more than Opera. That's assuming Opera truly is better. I do, however, respect Opera for sticking their neck out as an alternative browser.

Re:Nearly installed Opera last night... PHEW (0)

Anonymous Coward | more than 7 years ago | (#16295725)

For anyone using Opera, or for you if you ever switch to Opera, please change the default UA identification to read as Opera and not as IE.

Don't change it to Mozilla either. Let Opera show itself as it really is. Thanks to the push from Mozilla many sites are writing more standards correct code, or at least not writing IE specific code. Therefore more sites will display correctly in Opera and the need to disguise itself as IE is no longer needed. Unless you visit a few specific sites that only serve IE pages.

I use Firefox, Konqueror and even Dillo. As long as a browser serves pages correctly when given a Doctype then I am happy. Until IE does this, then I will be against IE and giving IE praise when in reality it is Opera that should have a higher showing in the logs.

Re:Nearly installed Opera last night... PHEW (1)

Ant P. (974313) | more than 7 years ago | (#16296111)

It still uses a fake UA in version 9? How do they expect anyone to take them seriously?

come on (1)

mindwar23 (964732) | more than 7 years ago | (#16295159)

is anybody really surprised this is a fake? i mean look at how stoned [com.com] they are!

Not "a FORMER developer"?! (1)

Keith Russell (4440) | more than 7 years ago | (#16295179)

You mean Six Apart hasn't sacked Spiegelmock yet? What's Mena waiting for? Maybe she's having all the chairs in her office bolted down in case she has the sudden urge to impersonate Steve Ballmer during the exit interview. I know if I caught an employee pulling the shit Spiegelmock just did on my watch, I'd need the most sound-isolated conference room in the building.

Re:Not "a FORMER developer"?! (0)

Anonymous Coward | more than 7 years ago | (#16295267)

Perhaps that is because you are a sad cunt with no sense of humour.

Re:Not "a FORMER developer"?! (0)

Anonymous Coward | more than 7 years ago | (#16295515)

not to mention that his friend there was allegedly involved in the big javascript-based attack on livejournal.
I would be suspicious enough about that connection alone to fire the punk.

Re:Not "a FORMER developer"?! (1)

Stanistani (808333) | more than 7 years ago | (#16295591)

If you want some fun, google Mischa Speigelmock and catch the returns - geesh!
>Mischa Spiegelmock is a 19-year old boy in San Francisco, CA. is single. is tagged bbqs, dork, and frisbee.
>Mischa Spiegelmock. Yo yo beezies this is m-spizzle straight outta ... keep it real up being studious and shit at the university of muhfuh san francisco and ...
>Hi, my name is Mischa Spiegelmock. I'ma software engineer intern at LiveJournal.
>Picture Gallery: The Great SF Pillow Fight. The Great San Francisco Pillow Fight of '06. By Mischa Spiegelmock. "My most difficult photo shoot yet" ... ...and it goes on and on...

He's just a keed.

huh. (0)

Anonymous Coward | more than 7 years ago | (#16295187)

would it be funny to everyone if this was IE?

Let's be honest.. Score -1: Flamebait (0)

mr_stinky_britches (926212) | more than 7 years ago | (#16295331)

by the time it's made it to Slashdot, or any other major website for that matter..it is highly unlikely that it is actually "Zero-Day" (aka "0day"). Zero-Day would mean that the exploit was really fresh, as in very few people are aware of the exploit. Or, interpreted literally, it would mean that it had been less than 24-hours after it is first discovered.

Why are people trying to resurrect this old buzzword? It is starting to get old (re: 'TERRORIST' old..).


I'm not impressed. I thought this was supposed to be a tech-savvy website?

Re:Let's be honest.. Score -1: Flamebait (2, Interesting)

Tim C (15259) | more than 7 years ago | (#16295773)

These days, "0day exploit" seems to have changed to mean "an exploit for which there is currently no fix". Not quite the same...

[Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.

It's been 4 minutes since you last successfully posted a comment.]

armor (1)

Max_W (812974) | more than 7 years ago | (#16295555)

It is not possible to protect anything or anyone 100%.

For example, the modern military body-armor. It is still possible to hurt a soldier into the neck or leg.

I mean the state (or states) should attack the culprits back and bring them to justice for the harm they invoke.

Yet another victory... (0)

Anonymous Coward | more than 7 years ago | (#16295895)

... for the Religious Right.

FUD? (1)

stuartrobinson (1003887) | more than 7 years ago | (#16296089)

I have trouble buying the whole just having fun angle. Call me paranoid, but I smell FUD...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>