Mozilla has been able to reproduce a DoS issue based on the information, according to a new post on the Mozilla Developer Center. So far, they have yet to determine whether code execution is a possibility, but say they are “still investigating” and promise updates as necessary. Nevertheless, it’s beginning to look as though this was largely a prank.
Mischa Spiegelmock has now said that the talk “was to be humorous,” and that the presentation covered a “previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution.” In other words, they didn’t discover a new flaw.
Spiegelmock said that the code they presented to attendees does not not actually work, lowering fears that a true zero-day exploit could be in the wild. To make matters more embarrassing, Spiegelmock also said that no one has successfully executed arbitrary code using the attack. “I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code,” according to comments on Mozilla’s developers blog.
As to the claim that there are 30 known exploits in Firefox, Spiegelmock said that the claim was made only by Wbeelsoi, and indicated that it, too, has not been verified.
