Mozilla on Monday issued an update for Firefox that fixes serious security bugs in the accepted open-source browser, including one exposed last week that could accomplish it simple for attackers to spoof SSL certificates acclimated to defended websites.
The vulnerability meant Firefox could be tricked by rogue certificates, a potentially dangerous alarming that could permit attackers to create convincing-looking forgeries of websites used for banking, email and other added sensitive services. The address works by abacus a simple absent cord appearance to several affidavit fields and was apart appear at the Black Hat aegis appointment by advisers Moxie Marlinspike and Dan Kaminsky.
"We strongly recommend that all Firefox users upgrade to this latest release," a statement on Mozilla's website read.
The SSL vulnerability permitted Marlinspike to actualize what he called accepted wildcard certificate that acquired Firefox to authenticate every domain name on the internet. He did so by applying for a accustomed certificate for his website thoughtcrime.org. In the commonName acreage he listed the website as *\0.thoughtcrime.org, causing the browser to accept the certificate was universally valid.
The vulnerability was repaired in version 3.5 of the browser, according to this archive of security advisories. Curiously, the archive shows the aforementioned aperture getting acquainted in adaptation 3.52, which was appearing Monday. Separate security advisories for 3.0 appearances it was as well fixed in version 3.0.13.
Mozilla said three of its added products - Thunderbird, SeaMonkey and NSS - are accessible to the aforementioned attack. Presumably, fixes for those applications will be forthcoming.
The application brings the latest version of Firefox to 3.5.2. For those who are unable to advancement to version 3.5 of the internet browser installation, the open-source accouterments issued a application that brings the earlier version to 3.0.13. The vulnerabilities administer to the Windows, Mac and Linux platforms.
It is the second time in 18 days that Mozilla has anchored serious bugs in its flagship web browser. Two weeks ago, the foundation rushed out an application to adjustment a javascript-based memory corruption bug that was already getting targeted in the wild.
Marlinspike said a lot of internet client-side software that implements SSL are accessible to the null-string bug, so we had expect this to be the aboriginal of abounding patches acclimation that vulnerability.
0 comments:
Post a Comment