Mozilla Releases Patches for Critical Vulnerabilities in Firefox

Mozilla has issued two advisories to fix critical vulnerabilities in its popular Firefox web
browser.

Security experts have rated the vulnerabilities as 'critical', and state that they could be
exploited by hackers to execute harmful codes and insert malware in computers. To execute
malicious codes, no user interaction is required except normal browsing.

With the vulnerabilities, hackers could easily track any Web session and steal critical
passwords. Moreover, they could deceive Firefox users to accept fake software updates containing
malware.

It is said that two of the three vulnerabilities in Firefox 3.0 and Firefox 3.5 were revealed at
the Black Hat Conference in the last week of July 2009, while the third one had been detected in
Mozilla in June 2009.

Marlinspike and Kaminsky, Independent Researchers, said at the Black Hat Conference that hackers
could exploit vulnerabilities in browsers' implementation of Secure Socket Layer (SSL). SSL is a
default encryption protocol.

Kaminsky discovered a mismatch in the domain names when Certificate Authorities (CA) allocate SSL
certificates to SSL clients. The right of issuing SSL certificates rest with the Certificate
Authorities only. The researcher said that in case a malicious person applied for a certificate
for a host using an invalid null character, CAs issued the certificate if the applicant had
specified the domain name after the null. He also found that most SSL clients usually ignored the
name section and feed the invalid part in front of null.

Hence, this makes the job of hackers slightly easy as they can obtain certificates that work for
any website. These certificates could also be used by attackers to intercept and potentially
change the encrypted communication between sever (such as sophisticated bank account
transactions) and client.

The researchers said that as Firefox used SSL to ensure protection of security updates, this
could lead to the installation of malicious updates.

Mozilla Firefox versions 3.x, Mozilla SeaMonkey versions 1.x and Mozilla Thunderbird versions 2.x
are the affected versions. These flaws are the result of errors in Network Security Services
(NSS).

Therefore, Mozilla has asked its users that they should update the running version of NSS to
version 3.12.3 or later. Users who have been using Firefox 3.0 and suspect that there could be
attack on their network, they should switch on to the new Firefox version 3.5.

Related article: Mozilla Rules Out Bug in Its Firefox

» SPAMfighter News - 8/21/2009