Firefox Flaw a Hoax, Admits Speaker
One of the speakers at a Toorcon security conference session last weekend has admitted that claims he and an accomplice made regarding an "unfixable" flaw in Firefox, and a video of the two purportedly exploiting this flaw, were a not-so-elaborate hoax.
"The main purpose of our talk was to be humorous," admitted Mischa Spiegelmock, in a statement made through Mozilla.org this afternoon.
"As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.
"I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code," Spiegelmock added.
A Mozilla spokesperson told BetaNews this afternoon, "Mozilla takes painstaking measures to maintain the security of Firefox, and immediately started investigating these reports these past weekend." The company's security chief, Window Snyder, posted a statement saying the company will continue to investigate further, assuming there's actually anything that needs to be investigated.
In an attempt to distance himself from his colleague, Andrew Wbeelsoi, Spiegelmock added today, "I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not." Evidently, the two did not coordinate their stories prior to their San Diego performance, let alone afterward.
Wbeelsoi's bio for the Toorcon session states that he "ruins things on the Internet professionally." There may be partial truth, at least, in that.
"I apologize to everyone involved," Spiegelmock closed, "and I hope I have made everything as clear as possible."