Mozilla Investigates New Firefox Flaw
The security team at Mozilla is looking into a flaw in its Firefox Web browser that hackers exposed at a conference in San Diego over the weekend.
UPDATE: The hackers admitted on Oct. 3 that their presentation was a joke.
Mozilla today said it was busy investigating the flaw, and did not offer any security researchers for comment because, according to spokesperson Mary Colvig, they were all "heads down" on the problem. The company also said it will patch the flaw if it deems that action necessary.
The vulnerability could allow someone to execute a memory corruption attack on Firefox if a user browsed to a Web site that contained the exploit code, says Ken Dunham, director of the rapid-response team at security services company iDefense, a VeriSign company.
"If you were to go to a Web site that contained the exploit code, it would fill up the available memory on the computer," he says. This would create an environment in which an attacker could take over the computer to do something harmful, he adds.
Dunham says that iDefense labs tested the exploit code, and found that it was "unreliable" and crashed the Firefox browser. Because of this, he does not consider the exploit to be a critical threat to Firefox. However, "someone could make some changes to the exploit code and make it more reliable," Dunham says.
He adds that there are other, more critical unpatched flaws in both Firefox and Microsoft's Internet Explorer browser that are currently under attack by hackers.