Mozilla patches critical Firefox flaw
Mozilla has patched a very critical flaw in Firefox that allows attackers to pose as a legitimate Firefox update server and implant harmful code into a victim’s computer. Firefox 3.0.13 and 3.5.2 are no longer vulnerable to this attack and the update should automatically run. It would be prudent to check it manually under the Firefox “Help” menu and open the “About” window.
The underlying flaw in the Mozilla Network Security Services (NSS) module allowed attackers to completely fake a Digital Certificate by disguising the domain name using a null character. The flaw was discovered by Moxie Marlinspike and disclosed at BlackHat 2009 and DEFCON 17 last week in Las Vegas. Microsoft’s CryptoAPI and Open Source GnuTLS is also affected by this vulnerability and they still allow the spoofing of Digital Certificates. Internet Explorer was not as severely impacted as Mozilla Firefox because it used Microsoft’s internal certificate signing authorities which spared it from the rogue update server problem, but it is still vulnerable to fake SSL websites.
Microsoft CryptoAPI exposes most Windows applications to SSL attacks
The problem goes far beyond web browsers because SSL facilitates secure communications across a broad range of applications. For example, Microsoft’s CryptoAPI is also used by many other applications such as Outlook, Citrix, Wireless Authentication, and most SSLVPN solutions including Microsoft’s SSTP VPN solution. SSL has essentially been compromised when the names identified in X.509 Digital Certificates are no longer trustworthy.
Microsoft at this time is looking at the problem internally but they have not disclosed a timeline for a fix. Until CryptoAPI is fixed, SSL authentication is essentially broken for the vast majority of Windows applications. Companies and organizations with very strict security requirements could consider removing all public certificate authorities from their Certificate Trust List (CTL), but that would break SSL for most public websites in Internet Explorer though SSL is essentially already broken. There is unfortunately no clean solution until Microsoft releases a patch for CryptoAPI.
[...] See the full story at DigitalSociety.org » Categories: BlackHat, DEFCON, Microsoft, Mozilla, Security, Security news Tags: Comments (0) Trackbacks (0) Leave a comment Trackback [...]
[...] [...]
Leave your response!
Twitter Feed
About Us
Digital Society is a digital think tank that believes culture and commerce are inseparable, that the digital economy flourishes when people are free and rights are secure, and that free markets free people.
Digital Society is an independent 501(c)3 non-profit organization, funded by donations from Jon Henke and from Arts+Labs. We advocate for a pro-culture, pro-commerce digital society through research, analysis and debate on emerging technology issues.
Reply Comments
Transparency and interactivity are trademarks of the Internet era, and we aim to foster them here at Digital Society. It is inevitable that some people will disagree with the technology policy positions we take. We want to have that constructive debate.
The Reply Comments feature gives our critics a chance to respond to our viewpoints and the Digital Society audience convenient access to competing arguments. Any time we directly challenge the views of an individual or a group on this site, the party in question may substantively respond in a guest post.
Please contact editorial director K. Daniel Glover by e-mail.
Subscribe
Recent Posts