Hacker apologizes for flaw demo of Firefox

Mischa Spiegelmock, one of the two hackers who on Saturday had given a detailed presentation showing the serious security flaw in Mozilla Corp.'s Firefox web browser that could not be fixed, has admitted that it was nothing more than a joke.

Spiegelmock along with Andrew Wbeelsoi had given detailed presentation at the ToorCon hacker conference in San Diego on Saturday, saying the vulnerability is not able to be patched unless Mozilla rewrites key sections of its JavaScript code. They had also said the bug would enable attackers to gain control of any computer running the Internet Explorer rival regardless the underlying operating system.

They even showed exploit code for Firefox JavaScript vulnerability at the conference amid claims that they had nearly 30 vulnerabilities, however, they did not disclosed those.

Soon after their claim, Mozilla immediately started probing and security boffins worldwide had started trying to work out what he meant and duplicate his results.

But, when Window Synder, the new security chief of Mozilla, caught up with him, Spiegelmock confessed he was just having a laugh. He admitted that the main purpose of his talk was to be humorous.

Spiegelmock forwarded a statement to Mozilla that was unleashed on the Mozilla developer center.

"We mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has,” wrote Spiegelmock.

"I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities," he added. "The main purpose of our talk was to be humorous. I apologize to everyone involved."

Though, the whole episode is not more than an amusing joke, but as far as Mozilla concerns, the company would take the matter seriously. "Even though Mischa hasn't been able to achieve code execution, we still take this issue seriously," Snyder said in an accompanying statement on the developer center site. "We will continue to investigate."

The investigation may obstruct the update to Firefox 2.0 Release Candidate 2 (RC2). Although RC2 has already been posted to Mozilla's FTP servers, it might be pulled to patch up the JavaScript flaw and/or another flaw in an overlooked dialog that remains in the code from previous test builds, said Mozilla.