Mozilla has updated its NSS (Network Security Services) program library to eliminate a bug in the certificate check. The new versions Firefox 32.0.3, Seamonkey 2.29.1 and Thunderbird 31.1.2 contain an error-corrected NSS version. Google’s Chrome browser also uses Mozilla’s NSS library. Google has therefore published Chrome 37.0.2062.124
Several security researchers have discovered the error independently: Antoine Delignat-Lavaud, a member of the Prosecco team at the research facility Inria in Paris, has reported the problem to Mozilla. Parallel to this, Intel Security (formerly McAfee) has researched the vulnerability. They suspect a relationship with a vulnerability discovered already in OpenSSL in 2006.
Download: Firefox
The problem in previous versions of the NSS library is that RSA certificates are not being tested carefully enough. With such certificates, a site is exposed to SSL-encrypted connections (HTTPS) against the browser. Due to the negligent certificate check, any website can output as a web presence of a bank, for example. A phishing attack is so much more convincing.
Download: Chrome
Firefox 32.0.3 is already the third correction update since the release of Firefox 32 in early September. It is, however, the first update of this series, which closes a security gap. The other two have only corrected minor errors.
No comments:
Post a Comment