Firefox JavaScript security "a complete mess"?

Firefox is loaded with security flaws, according to a hacker duo that presented at this year's ToorCon. Mischa Spiegelmock and Andrew Wbeelsoi used a session at the show to highlight what they have called "a complete mess" that is "impossible to patch" in Firefox's JavaScript implementation. According to the pair, the implementation is home to at least 30 possible exploits, all of which they plan to keep to themselves. CNet's Joris Evers brought the story to light this past weekend, but reports are surfacing everywhere.

The presentation, dubbed "Lovin the LOLs, LOL is my will," actually only focused on one flaw, which the presenters said affects Firefox on Windows, Linux, and Mac OS X. The exploit reportedly causes a stack overflow by merely including a small snippet of JavaScript code on a webpage. Spiegelmock and Wbeelsoi have declined to fully detail the exploit, however, leaving Mozilla a bit in the dark. In fact, after a Mozilla employee exhorted them to report the flaw and collect a $500 reward, Wbeelsoi said "what we're doing is really for the greater good of the Internet, we're setting up communication networks for black hats."

Mozilla's head of security, Window Snyder, indicated that Mozilla believes the exploit to be real. She has also said that the presentation given at the conference contained enough information that other hackers may be able to reproduce the exploit before it can be patched.

Reports of the flaw come less than a week after Symantec's biannual Internet Security Threat Report indicated that the number of browser vulnerabilities is on the rise. Firefox led the pack both in terms of absolute number of vulnerabilities disclosed on the last six months, and in terms of percentage growth over the year. The report also noted that Firefox had the lowest "window of vulnerability," meaning that the time between identification and fix was comparatively shorter that for other browsers. Nevertheless, the current state of affairs has led many readers to start joking, "Firefox: the next Internet Explorer."