Decius wrote:

Acidus wrote:
So to settle all this craziness about disclosing Firefox 0day, I decided to call Six Apart's press office, as Mischa Spiegelmock claimed he works there.

He has gone on record saying that this was a joke and that they don't have code execution.

I really don't get the joke. Maybe I'm not smart enough.

Meantime the frontpage of google news shows headlines like

"Firefox JavaScript security "a complete mess""
"Firefox zero-day exploit surfaces"
"Critical Firefox flaw exposed"
"Alleged 'Unfixable' Exploit in Firefox"

None of them got the joke either. To be sure, there's some sensationalism and irresponsible journalism on the part of the authors of those stories, but that doesn't change the fact that this "joke" has become a media nightmare for the Firefox folks. You just know the tech media have been crouched and ready for bad Firefox news... after months of "FIREFOX IS AWESOME," you know they wanted some comeuppance, fair or otherwise. So here it is, a restoration of "fairness" (in which fair is defined in the only way people seem to permit these days -- bash both sides equally), and the takedown they've all been waiting for.

And an undeserved one as well, from where I'm standing.

If you can put a price on customer good will (you can) then they're suffering very real damages over this completely unfunny "joke." Unfortunately they're probably painted into a corner on legal remedies because everyone will *say* they're out to shut down security research if they sue.

It sucks, and these tools should've fucking known better.

RE: On Six Apart and the dropping of the 0day