Operating System:

[WIN][UNIX/Linux]

Published:

07 September 2011

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ASB-2011.0073.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2011.0073.2
         Mozilla has released versions 6.0.2 and 3.6.22 of Firefox
                             7 September 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Firefox
                      Thunderbird
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Provide Misleading Information -- Remote with User Interaction
Resolution:           Patch/Upgrade
Member content until: Saturday, October  1 2011
Reference:            ESB-2011.0886.2
                      ESB-2011.0890
                      ESB-2011.0891

Revision History:     September 7 2011: Further DigiNotar update
                      September 1 2011: Initial Release

OVERVIEW

        Mozilla has released versions 6.0.2 and 3.6.22 of Firefox and versions
        6.0.2 and 3.1.14 of Thunderbird with improvements to the revoked root
        certificate for DigiNotar, due to the recent fraudulent issuing of SSL
        certificates obtained by a compromise to DigiNotar.


IMPACT

        Mozilla has provided the following details regarding this issue:
        
        "Mozilla was informed today about the issuance of at least one 
        fraudulent SSL certificate for public websites belonging to Google, 
        Inc. This is not a Firefox-specific issue, and the certificate has now 
        been revoked by its issuer, DigiNotar. This should protect most 
        users." [1]
        
        "Users on a compromised network could be directed to sites using a 
        fraudulent certificate and mistake them for the legitimate sites. This 
        could deceive them into revealing personal information such as 
        usernames and passwords. It may also deceive users into downloading 
        malware if they believe its coming from a trusted site. We have 
        received reports of these certificates being used in the wild." [1]
        
        As well as the following additional information:
        
        "As more information has come to light about the attack on the DigiNotar
        Certificate Authority we have improved the protections added in
        MFSA 2011-34. The main change is to add explicit distrust to the
        DigiNotar root certificate and several intermediates. Removing the root
        as in our previous fix meant the certificates could be considered valid
        if cross-signed by another Certificate Authority. Importantly this list
        of distrusted certificates includes the "PKIOverheid" (PKIGovernment)
        intermediates under DigiNotar's control that did not chain to
        DigiNotar's root and were not previously blocked." [2]


MITIGATION

        The vendor recommends upgrading to the latest versions of Firefox and
        Thunderbird to correct this issue. [3]


REFERENCES

        [1] Fraudulent *.google.com Certificate
            http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

        [2] Mozilla Foundation Security Advisory 2011-35
            http://www.mozilla.org/security/announce/2011/mfsa2011-35.html

        [3] Mozilla Applications
            http://www.mozilla.org/projects/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTmb4Te4yVqjM2NGpAQL89A/8CvnF6e5tZLqf7ziJhUfBZFOUfTHmECho
CVggYG2kMkx22vlP4uz2zNxia7QLGnr7dT3Gbfno2FVdpCyP7h9++pdbFWNubrUM
Hn0kYnIIHXVh2115QxFaCTIxp39ZjjRIpL7+wc0otsUYkC5KEIigA8tya+4T3xWx
uHFI/poBNvUMFl8/ywuxNBNE0MSH3eck3PwcycvlXr+j7s95pVTVDf0Lq1K45Hg4
Nbud796vpWZumtWF1tG3fs93hAxCyG+6Gnh0L5VQVtH7PGMeQTkocwz0dMZam47B
mXdWeketULRaDyF0hf/tJEjyKqP0bo0a2dD8A5JwWmt2qmhyE9ZIXdVsKWSKmw2Y
Ry3QLWfv2Iofyc7tz/S57cRJaewo32E0sM3t26ZfDRMz41XUKfhKsDZN4+ixOIk1
DYEI6dH0W7k1ZM9O4d/SSvuiqAlv9QXG8aAGLcg1cphe3exMjzkSrJj2/02loZ0B
K1/s095kkb/FkEVUwg3KChx82xnceBNbYGuPaAQvSrS2V/XDKIwPSy6H/M9IhyON
O40qW1GZRGJ8w0hbGDzBwcTHQCKH+vkU1Vfr+pb96F67I/N42HCXqJVClRFdE0BN
pbgP/w2IyzMn7/9vyghFYbUACoULgOJDgKqwYWJVFretX0tHBiTemm+KSDGJaaU9
AqMF99+QRO4=
=DB8A
-----END PGP SIGNATURE-----