August 04, 2009
Mozilla on Monday issued an update for Firefox that fixes four critical security bugs in the popular open-source browser, including one exposed last week that could make it easy for attackers to spoof SSL certificates used to secure websites.
The vulnerability meant Firefox could be tricked by rogue certificates, a potentially dangerous scenario that could allow attackers to create convincing-looking forgeries of websites used for banking, email and other sensitive services. The technique works by adding a simple null string character to several certificate fields and was independently reported at the Black Hat security conference by researchers Moxie Marlinspike and Dan Kaminsky.
"We strongly recommend that all Firefox users upgrade to this latest release," a statement on Mozilla's website read.
SThe SSL vulnerability allowed Marlinspike to create what he called a universal wildcard certificate that caused Firefox to authenticate every domain name on the internet. He did so by applying for a normal certificate for his website thoughtcrime.org. In the commonName field he listed the site as *\0.thoughtcrime.org, causing the browser to believe the certificate was universally valid
Source:-theregister.co.uk
|
|
