Firefox Update Fixes Serious SSL, Other Bugs

A Firefox update released today fixes a recently disclosed flaw in the way Firefox 3.0 and other programs handle SSL certificates, which are used for (theoretically) secure online communications.

The SSL cert problem was reported at last week's Black Hat security conference, and could allow an attacker to use a "null-termination" certificate to intercept SSL communications between the browser and a site. Such traffic is normally encrypted so that it would only appear as indecipherable letters and numbers to any digital spies, but the cert bug allows for a successful "man-in-the-middle" hijack if an attacker has access to your network.

Firefox 3.0.13 fixes the problem, along with another certificate problem reported by the same researcher, Moxie Marlinspike. Firefox 3.5 was already protected from these errors, but a new 3.5.2 browser update fixes other security holes, including a javascript bug that could be potentially be targeted to install malware.

To pick up the update for either version, head to Help | Check for Updates. And for a full list of the security fixes and other changes in both updates, see the Firefox 3 release notes and those for Firefox 3.5.

Subscribe to the Security Watch Newsletter

Comments