Mozilla's head of security, Window Snyder, indicated that Mozilla believes the exploit to be real. She has also said that the presentation given at the conference contained enough information that other hackers may be able to reproduce the exploit before it can be patched.
Reports of the flaw come less than a week after Symantec's biannual Internet Security Threat Report indicated that the number of browser vulnerabilities is on the rise. Firefox led the pack both in terms of absolute number of vulnerabilities disclosed on the last six months, and in terms of percentage growth over the year. The report also noted that Firefox had the lowest "window of vulnerability," meaning that the time between identification and fix was comparatively shorter that for other browsers. Nevertheless, the current state of affairs has led many readers to start joking, "Firefox: the next Internet Explorer."
The zero-day debate
Spiegelmock and Wbeelsoi declined to discuss how they identified the exploit, but it has occasioned a return to arguments over the security of open source software. Opponents have long argued that open source software is inherently unsafe because Bad People can pore over the source code looking for exploits. Opponents liken it to publishing the blueprints to a fortress. Open source advocates have argued the opposite, namely that publishing source code ultimately results in more security. The more eyes that pore over the source code, it is argued, the more likely it is that vulnerabilities will be discovered and fixed.
The truth is likely somewhere in-between. Publishing source code certainly does raise the possibility of an exploit being found via that same source code. It's what happens after the flaws are found that seems to stir so much debate. Human nature being fickle, there's little to recommend predicting one outcome over another, especially in an environment where exploits can be sold to the highest bidder for nefarious means.
Mozilla has been able to reproduce a DoS issue based on the information, according to a new post on the Mozilla Developer Center. So far, they have yet to determine whether code execution is a possibility, but say they are "still investigating" and promise updates as necessary.