Update: The hacker who claimed there were numerous flaws in Firefox, including one that could compromise a system from just visiting a website has backed off, saying he was never really successful in doing such a thing. Furthermore he added that his comments during the event were supposed to be "humorous."
Two hackers by the names of Mischa Spiegelmock and Andrew Wbeelsoi have attacked the security of the Firefox browser, claiming that it is a "complete security mess" and that it cannot be made secure without massive rewrites of key parts of its code.
Speaking at the ToorCon hacker conference, Spiegelmock and Wbeelsoi explained that Javascript in the (about 10 year's old) code make it a breeze to cause stack overflows. Seemingly, an attacker could easily craft a web page that contains some malicious JavaScript code, and exploit these flaws to their advantage. Additionally, the two hackers claim they know of more than 30 unpatched Firefox flaws, which they currently don't plan to disclose. If the flaw in question truly lies in the JavaScript virtual machine, it will be hard to fix and will involve more than a standard patch.
Reacting to these claims, Mozilla's security head Window Snyder claimed that she did not believe that the flaws were so serious that they could not be fixed with patches. Snyder did, however, admit the obvious need to investigate these issues.
"What they are describing might be a variation on an old attack," she said. "We're going to do some investigating."
During the presentation, a Mozilla security staffer named Jesse Ruderman appealed to the black hat community to responsibly disclose flaws via Mozilla's bug bounty programme instead of using them for malicious purposes.