The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference. The flaw affects Firefox on Windows, Apple Computer’s Mac OS X and Linux, they said.

The flaw is specific to Firefox’s implementation of JavaScript, a 10-year old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a “complete mess,” he said. “It is impossible to patch.”

The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla’s security chief, said after watching a video of the presentation Saturday night. “What they are describing might be a variation on an old attack,” she said. “We’re going to do some investigating.”

Source: News.com