Firefox 3.5.2 and 3.0.13 fix security vulnerabilities
The updates also remove a bug which could allow fraudsters to present crafted websites as being SSL protected by using window.open calls to invalid URLs followed by document.write. Phishers could try to exploit this to steal data. The latest version of the browser also fixes a bug in the way SOCKS5 responses containing DNS names longer than 15 characters are processed.
The Mozilla Foundation has now released information on two old SSL certificate processing vulnerabilities which have long been fixed in Firefox 3.5 but are still present in Firefox 3.0.x, and are set to remain so. Moxie Marlinspike revealed details of the vulnerabilities in his recent presentation at Black Hat. Inserting null characters into certificates causes many browsers to think that a certificate issued to www.paypal.com\0.thoughtcrime.org, for example, belongs to www.paypal.com. The Mozilla security advisory indicates that this can be used to prise open Firefox' secure update mechanism, and indeed an update attack tool was presented at Black Hat.
The problem was discovered separately by Marlinspike and Dan Kaminsky. Kaminsky, however, chose to work on a coordinated solution to the problem in conjunction with Microsoft's Vulnerability Research team – the problem is not confined to Firefox, but also affects Internet Explorer and other browsers. Last but not least, Marlinspike also discovered a heap overflow when processing crafted certificates which could be exploited to inject and execute code. This latter vulnerability affects both Thunderbird and SeaMonkey. Whether or not these bugs have been fixed is not clear from the report, which merely states that the bug has been fixed in Network Security Services (NSS) 3.12.3.
The Mozilla Foundation is recommending that Firefox 3.0.x users should now upgrade to 3.5.x – support for the former is set to end in January 2010.
- Mozilla Foundation Security Advisories
- DEFCON: Danger from automatic updates, a report from The H.
- SSL flaw revealed at Black Hat, a report from The H.