Pre-teen gets $3000 for spotting critical flaw in Firefox

Reporting on the latest payout, the Softpedia newswire says that the flaw identified by Alexander Miller – CVE-2010-3179 – is a buffer overflow and memory corruption issue, which can occur when using the document.write function.

The security flaw can reportedly be exploited by tricking potential victims into visiting a specially crafted web page that crashes their browsers and potentially allows the attacker to execute malicious code on their computers.

"Security researcher Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data", says Mozilla in its report on the flaw.

"However, what the advisory doesn't say is that Alexander Miller is a 12-year-old seventh-grader, who lives in Willow Glen, San Jose, California", says Softpedia, adding that the pre-teen has been trying to find a major bug in Firefox ever since Mozilla revamped its reward programme earlier this year.

Infosecurity notes that, back in the summer, Mozilla attracted some criticism for its decision to raise its bug-spotting reward from $500 to $3000, with some experts saying that it only served to highlight the rewards of finding flaws, and that cybercrime gangs may step in to outbid Mozilla on the more serious ones.

The San Jose Mercury News, meanwhile, says that the 12-year-old originally found something in his initial search for Firefox flaws, and sent in a bug report, but it wasn't the right type of flaw to qualify for a large payout.

"Alex returned to the computer and his exploration. By Alex's estimation he spent about 90 minutes each day for about 10 days until he spotted it – a flaw in the memory of the running programme", the paper said.

"There might have been dancing and some whooping at that point, he says."

What’s Hot on Infosecurity Magazine?