Mozilla Patches Firefox for Black Hat Flaws

One of the biggest threats to emerge out of the recent Black Hat security conference was a pair of weaknesses that attackers could use to undermine Secure Socket Layer, or SSL .

Open source browser vendor Mozilla is now updating its Firefox 3.0.x browser for the Black Hat flaws, while updating its Firefox 3.5.x browser for at least four new vulnerabilities.

As part of the Firefox 3.5.2 update late Monday, Mozilla included a total of six security advisories, two of which were previously patched.

At the Black Hat security conference, researchers Dan Kaminksy and Moxie Marlinspike both separately reported a pair of issues related to how browsers handle SSL certificates. The result of the flaws is that a browser could potentially be tricked into reporting a SSL certification as valid if signed for an invalid wildcard domain.

Mozilla has now disclosed that Firefox 3.5 was patched for the SSL flaws from its initial release in June, while the new 3.0.13 release is now being patched for the first time publicly.

According to Mozilla, the reason why Mozilla did not previously publicly disclose the fixes in Firefox 3.5 was to protect other browser users.

“When a researcher finds problems that apply across browsers, we are careful to ensure that we don’t make the problem worse by releasing our own fix so quickly that it points attackers to the vulnerabilities in other applications,” Mozilla’s Jonathan Nightingale told “Firefox 3.5 already contains most of the necessary fixes because doing so didn’t risk creating a zero-day situation for other browsers: There were thousands of changes in Firefox 3.5, so an attacker wouldn’t have any obvious targets.”

Mozilla had been aware of at least one of the SSL flaws since February, when the initial bug report was made, according to Mozilla’s own Bugzilla bug tracking entry for the flaw.

In addition to the SSL flaws reported at Black Hat, Firefox 3.5.2 includes an SSL flaw that was not disclosed by the Black Hat security researchers. The new flaw actually uses a valid SSL certificate that can then be used to spoof an invalid URL.

According to security advisory, the SSL spoofing issue was reported by security researcher Juan Pablo Lopez Yacubian.

“An attacker could call on an invalid URL, which looks similar to a legitimate URL, and then use document.write() to place content within the new document, appearing to have come from the spoofed location,” Mozilla warned in its advisory. “Additionally, if the spoofed document was created by a document with a valid SSL certificate, the SSL indicators would be carried over into the spoofed document. An attacker could use these issues to display misleading location and SSL information for a malicious Web page.”

Firefox 3.5.2 also fixes two other critical vulnerabilities. One of these is a privilege escalation flaw, while the other fixes crashes with evidence of memory corruption.

Mozilla’s Firefox recently hit a major milestone with 1 billion downloads. Developers are currently working on the next generation 3.6 browser as well as some early conceptual work on Firefox 4.

News Around the Web