Written by: Elizabeth Montalbano – IDG News Service
Source: PC World
Hackers revealed exploit code for JavaScript vulnerability
The security team at Mozilla is looking into a flaw in its Firefox Web browser that hackers exposed at a conference in San Diego over the weekend.
In a presentation at the ToorCon hacker conference, hackers Mischa Spiegelmock and Andrew Wbeelsoi demonstrated exploit code for a vulnerability in the way Firefox handles JavaScript.
Mozilla today said it was busy investigating the flaw, and did not offer any security researchers for comment because, according to spokesperson Mary Colvig, they were all “heads down” on the problem. The company also said it will patch the flaw if it deems that action necessary.
Memory Filler
The vulnerability could allow someone to execute a memory corruption attack on Firefox if a user browsed to a Web site that contained the exploit code, says Ken Dunham, director of the rapid-response team at security services company iDefense, a VeriSign company.
“If you were to go to a Web site that contained the exploit code, it would fill up the available memory on the computer,” he says. This would create an environment in which an attacker could take over the computer to do something harmful, he adds.
Dunham says that iDefense labs tested the exploit code, and found that it was “unreliable” and crashed the Firefox browser. Because of this, he does not consider the exploit to be a critical threat to Firefox. However, “someone could make some changes to the exploit code and make it more reliable,” Dunham says.
He adds that there are other, more critical unpatched flaws in both Firefox and Microsoft’s Internet Explorer browser that are currently under attack by hackers.
**SPECIAL NOTE**
It turns out that this has ended up to be a hoax. Read Nina’s (our Webmaster) comments regarding this story.

Claimed security hole in Firefox “just a joke”
The allegedly critical hole reported yesterday in Firefox’s JavaScript implementation has turned out, not surprisingly, to be a hoax. Mischa Spiegelmock, who made the claim at the Toorcon hacker conference, told Mozilla’s security chief Window Snyder, “The main purpose of our talk was to be humorous.”
read more at: http://www.heise-security.co.uk/news/78970
Thanks for clearing that up Nina. I know that many use Firefox and this was a grave concern.
Anyone actually believing a story in which the claim that a security hole is “un-fixable” in Firefox (bot not IE) needs to be taken out back and have a truckload of sense beaten into them. *%/#* idiots.