, SecurityFocus 2006-10-03
The presentation was intended mainly as a joke, Spiegelmock said in the statement, in which he apologized.
"The main purpose of our talk was to be humorous," the 19-year-old researcher said in the statement. "As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has."
Spiegelmock and his employer, blog developer and service provider Six Apart, backed off those statements on Monday.
"I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim," Spiegelmock said in the statement posted to Mozilla's blog late Monday night. "I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not."
According to a source familiar with the matter, Spiegelmock does not have any other information about vulnerabilities outside of the denial-of-service vulnerability included in the presentation. Moreover, the college student has disclosed all details about the flaws to the Mozilla Foundation. Neither Spiegelmock nor Wbeelsoi responded to e-mailed interview requests.
Six Apart downplayed the style of the presentation as a prank.
"Mischa is a young man--he meant the presentation in jest," said Jane Anderson, spokeswoman for Six Apart.