During hacker convention ToorCon 2006, speakers Mischa Spiegelmock and Andrew Wbeelsoi presented (CNet video) how a current Firefox vulnerability could be exploited to gain control of a web visitor's computer. The example exploits a flaw in Mozilla's JavaScript implementation. An attacker would need to craft a specially coded web page and would take control once an unknowingly visitor get to the site.

SecuriTeam has pointed to 3 reported bugs (currently closed to the public) in Mozilla's Bugzilla database as the cause of the announced vulnerability. Brendan Eich, creator of JavaScript and Mozilla's Chief Technology Officer, commented that two of the bugs are new and apply only to Firefox 2 (currently in Release candidate status) and not the 1.5.x branch, the latest, current one. The third bug is related to old code left for backwards compatibility that should be removed soon.

Eich adds: "Although we don’t want to spoon-feed exploits of unpatched bugs to blackhats, we disclose everything in due course. Everything. This causes bean-counters to declare us less secure. That’s obviously unproven and unproveable, but also unlikely. More important, if you count days of exposure, we are demonstrably better than other browsers."

Spiegelmock and Wbeelsoi, mentioned also they know about 30 other vulnerabilities which "they don't plan to disclose them, instead holding on to the bugs." as reported on CNet.

As a side note, two JavaScript security vulnerabilities patches are getting in today's Firefox 2 nightly build. These however were discovered before ToorCon.

UPDATE: Window Snyder, Mozilla Chief Securty Officer has declared: "So far we’ve been able to reproduce a denial of service issue based on the information they gave during their talk. In some cases this causes a crash based on an out of memory error. Based on the information we have at this time we have not been able to confirm whether an attacker can achieve code execution. We’re still investigating and we’ll keep you updated."

UPDATE 2: Spiegelmock was contacted by Mozilla and clarified that he hasn't been able to exploit the vulnerability to execute code but crash Firefox. He doesn't know about 30 other vulnerabilities as the claim was made by Wbeelsoi. Mozilla is however proceeding with its investigation.