back to article Latest Firefox and Thunderbird updates plug CRITICAL SSL vuln

Mozilla Firefox needs patching urgently following the discovery that the open source browser is vulnerable to SSL man-in-the-middle attacks. The critical bug arises because the Network Security Services (NSS) libraries parser built into the browser is capable of being tricked into accepting forged RSA certificate signatures. …

  1. This post has been deleted by its author

    1. Dan 55 Silver badge

      Settings > Advanced > Update > 'Never check for updates (not recommended: security risk)'.

      Enjoy being pwned.

      Alternatively use Classic Theme Restorer and allow updates.

      1. BillG Silver badge

        Settings > Advanced > Update > 'Never check for updates (not recommended: security risk)'.

        That prevents it from auto-updating, but there is no setting to prevent the nag popup sceens.

        I have an old laptop with Firefox 3.2.28, Outpost firewall, and an antivirus. Last year I ran a contest, if you can infect my machine through that version of Firefox I give you $100, if you can't, you give me $50. I admitted my firewall is Outpost, but my antivirus is undisclosed. There were no takers despite the outcry from Firefox fanbois gleefully insisting my laptop was going to hell.

        My main daily laptop has Firefox 27 and has never had a single problem.

    2. Avalanche

      You can configure it to update automatically (I believe that is even the default).

    3. jwatt

      Current versions of Firefox will only prompt if you have incompatible add-ons installed. If you want to auto-update anyway set the prefs:

      app.update.mode=0

      app.update.silent=true

      http://kb.mozillazine.org/App.update.mode

      http://kb.mozillazine.org/App.update.silent

  2. regadpellagru

    funny small mistake

    " a security researcher at Prosecco"

    No, he's working for french INRIA (Institut National de Recherche en Informatique Appliquée). It's his team whose name is Prosecco.

  3. LDS Silver badge

    Security researcher at "Prosecco"

    Are good security company names already all taken? Or they make wine and security research at the same time?

    1. Fred Flintstone Gold badge

      Re: Security researcher at "Prosecco"

      Or they make wine and security research at the same time?

      Is there any other way? :p

  4. Rob Carriere
    Coat

    "Is capable of being tricked"

    An enviable capability, to be sure.

  5. Stevie Silver badge

    Bah!

    Oh well. There goes my Thunderbird calendar plugin again. Every update seems to make it "invalid".

    But what do I expect; it's free!

    1. John Sager

      Re: Bah!

      Lightning 3.3 still worked with Thunderbird 31.1.2 but I've now updated to Lightning 3.3.1. The real thing that killed my calendar was when I updated my server to Ubuntu 14.04. The extra stuff I had in apache's sites-available directory, including davical, stopped working because the scripts now all needed the suffix '.conf'. I wonder if it was just someone with a mania for tidying up, or whether it was necessary to make new functionality work.

  6. Charlie Clark Silver badge

    Which other software is affected?

    I thought NSS was quite popular.

    1. Michael Wojcik Silver badge

      Re: Which other software is affected?

      Wikipedia has a list, which I'm sure is not comprehensive.

      This is a pretty bad vulnerability. It's due - once again - to poor ASN.1 handling. ASN.1 is a blight upon computing. Though in this case it looks like the problem could have been avoided by refusing to handle BER and insisting on DER, which makes ASN.1 a little better. (Is there ever a good reason to use BER? I can't think of one.)

      One thing that's not clear in the descriptions I've read of the bug is whether it only applies to some RSA keys. It's a variation of the Bleichenbacher attack, which appends attacker-chosen data to the signed hash so it matches a bogus key supplied by the attacker. Bleichenbacher's attack only works on RSA keys that use 3 for the exponent. It'd be interesting to know if this new bug ("BERserk") also only applies to RSA keys with exponent 3, since that at least reduces the scope of the vulnerability.

      And, of course, it doesn't affect certificates signed using other algorithms (DSS, ECDH, ECDSA).

  7. ecofeco Silver badge

    I'd love to update

    Honestly, I'd love to update FireFox, but since version 23, it's been nothing but a crash buggy. The latest version would not even stay running past launch. Click first bookmark... crash.

    Yes, I did all the troubleshooting and recommended fixes... under a full moon while chanting special incantations and hopping about on one foot. I also not the only one.

    So now I'm using Chrome. Which, low and behold, is far faster that FireFox and apparently more secure. Almost TOO secure.

    1. ecofeco Silver badge
      Trollface

      Re: I'd love to update

      On my. I had no idea there were FireFox fanbois just like Apple fanbois.

      Let me say this again. FireFox is now bug riddled boat anchor and until someone can explain why, I will keep that recommendation. I wish it wasn't, but that doesn't change anything. It was my favorite browser for years.

  8. itzman

    Hm. So that was the reason thunderbird and Firefox...

    suddenly were in the list of 'recommended updates'.

    Oddly, it may have fixed an NNTP problem with thunderbird, too.

    Whatever, at least the fixes are going in pretty much as soon as the problem is found.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019