From the
‘
late advisory’
files:
One of the biggest stories out of last week’s Black Hat event was the disclosure that Firefox and other web browsers were at risk from SSL man in the middle attacks. The attacks which were discussed (and reported by) Dan Kaminsky and Moxie Marlinspike involve null wildcards for SSL certificates which tricked the browser into thinking that /o*.attackdomain.realdomain.com was actually a legitimate SSL certificate for realdomain.com
Mozilla was aware of the issues as far back as Feburary according to the bugzilla report and Firefox 3.5 was already fixed for the flaw when the Firefox 3.5 browser was released in June.
Mozilla published an advisory on the issue on Saturday.
“Users of unfixed versions of Firefox 3.0 who are concerned about the potential for this attack on their network should download the latest Firefox 3.5 from our web site, and on Windows ensure that the installer is signed and that “Mozilla Corporation” is the publisher.”