Firefox Update Fixes Serious SSL, Other Bugs

A Firefox update released today fixes a recently disclosed flaw in the way Firefox 3.0 and other programs handle SSL certificates, which are used for (theoretically) secure online communications.

The SSL cert problem was reported at last week's Black Hat security conference, and could allow an attacker to use a "null-termination" certificate to intercept SSL communications between the browser and a site. Such traffic is normally encrypted so that it would only appear as indecipherable letters and numbers to any digital spies, but the cert bug allows for a successful "man-in-the-middle" hijack if an attacker has access to your network.

Firefox 3.0.13 fixes the problem, along with another certificate problem reported by the same researcher, Moxie Marlinspike. Firefox 3.5 was already protected from these errors, but a new 3.5.2 browser update fixes other security holes, including a javascript bug that could be potentially be targeted to install malware.

To pick up the update for either version, head to Help | Check for Updates. And for a full list of the security fixes and other changes in both updates, see the Firefox 3 release notes and those for Firefox 3.5.

Shop ▾
arrow up Amazon Shop buttons are programmatically attached to all reviews, regardless of products' final review scores. Our parent company, IDG, receives advertisement revenue for shopping activity generated by the links. Because the buttons are attached programmatically, they should not be interpreted as editorial endorsements.

Subscribe to the Security Watch Newsletter

Comments