The security team at Mozilla is looking into a flaw in its Firefox Web browser that hackers exposed at a conference in San Diego over the weekend.
In a presentation at the ToorCon hacker conference on Saturday, hackers Mischa Spiegelmock and Andrew Wbeelsoi demonstrated exploit code for a vulnerability in the way Firefox handles Javascript.
On Monday, Mozilla said it was busy investigating the flaw, and did not offer any security researchers for comment because, according to spokeswoman Mary Colvig, they were all “heads down” on the problem. The company also said it will patch the flaw if it deems that action necessary.
The vulnerability could allow someone to execute a memory corruption attack on Firefox if a user browsed to a Web site that contained the exploit code, said Ken Dunham, director of the rapid response team at security services company iDefense, a VeriSign company.
“If you were to go to a Web site that contained the exploit code, it would fill up the available memory on the computer,” he said. This would create an environment in which an attacker could take over the computer to do something harmful, he added.
Dunham said that iDefense labs tested the exploit code, and it was “unreliable” and crashed the Firefox browser. Because of this, he does not consider the exploit to be a critical threat to Firefox. However, “someone could make some changes to the exploit code and make it more reliable,” Dunham said.
He added that there are other, more critical unpatched flaws in both Firefox and Microsoft’s Internet Explorer browser that are currently under attack by hackers.
There was no word if the flaw affected the Macintosh version of the browser.