Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2011.0073.2 Mozilla has released versions 6.0.2 and 3.6.22 of Firefox 7 September 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Firefox Thunderbird Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade Member content until: Saturday, October 1 2011 Reference: ESB-2011.0886.2 ESB-2011.0890 ESB-2011.0891 Revision History: September 7 2011: Further DigiNotar update September 1 2011: Initial Release OVERVIEW Mozilla has released versions 6.0.2 and 3.6.22 of Firefox and versions 6.0.2 and 3.1.14 of Thunderbird with improvements to the revoked root certificate for DigiNotar, due to the recent fraudulent issuing of SSL certificates obtained by a compromise to DigiNotar. IMPACT Mozilla has provided the following details regarding this issue: "Mozilla was informed today about the issuance of at least one fraudulent SSL certificate for public websites belonging to Google, Inc. This is not a Firefox-specific issue, and the certificate has now been revoked by its issuer, DigiNotar. This should protect most users." [1] "Users on a compromised network could be directed to sites using a fraudulent certificate and mistake them for the legitimate sites. This could deceive them into revealing personal information such as usernames and passwords. It may also deceive users into downloading malware if they believe its coming from a trusted site. We have received reports of these certificates being used in the wild." [1] As well as the following additional information: "As more information has come to light about the attack on the DigiNotar Certificate Authority we have improved the protections added in MFSA 2011-34. The main change is to add explicit distrust to the DigiNotar root certificate and several intermediates. Removing the root as in our previous fix meant the certificates could be considered valid if cross-signed by another Certificate Authority. Importantly this list of distrusted certificates includes the "PKIOverheid" (PKIGovernment) intermediates under DigiNotar's control that did not chain to DigiNotar's root and were not previously blocked." [2] MITIGATION The vendor recommends upgrading to the latest versions of Firefox and Thunderbird to correct this issue. [3] REFERENCES [1] Fraudulent *.google.com Certificate http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/ [2] Mozilla Foundation Security Advisory 2011-35 http://www.mozilla.org/security/announce/2011/mfsa2011-35.html [3] Mozilla Applications http://www.mozilla.org/projects/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTmb4Te4yVqjM2NGpAQL89A/8CvnF6e5tZLqf7ziJhUfBZFOUfTHmECho CVggYG2kMkx22vlP4uz2zNxia7QLGnr7dT3Gbfno2FVdpCyP7h9++pdbFWNubrUM Hn0kYnIIHXVh2115QxFaCTIxp39ZjjRIpL7+wc0otsUYkC5KEIigA8tya+4T3xWx uHFI/poBNvUMFl8/ywuxNBNE0MSH3eck3PwcycvlXr+j7s95pVTVDf0Lq1K45Hg4 Nbud796vpWZumtWF1tG3fs93hAxCyG+6Gnh0L5VQVtH7PGMeQTkocwz0dMZam47B mXdWeketULRaDyF0hf/tJEjyKqP0bo0a2dD8A5JwWmt2qmhyE9ZIXdVsKWSKmw2Y Ry3QLWfv2Iofyc7tz/S57cRJaewo32E0sM3t26ZfDRMz41XUKfhKsDZN4+ixOIk1 DYEI6dH0W7k1ZM9O4d/SSvuiqAlv9QXG8aAGLcg1cphe3exMjzkSrJj2/02loZ0B K1/s095kkb/FkEVUwg3KChx82xnceBNbYGuPaAQvSrS2V/XDKIwPSy6H/M9IhyON O40qW1GZRGJ8w0hbGDzBwcTHQCKH+vkU1Vfr+pb96F67I/N42HCXqJVClRFdE0BN pbgP/w2IyzMn7/9vyghFYbUACoULgOJDgKqwYWJVFretX0tHBiTemm+KSDGJaaU9 AqMF99+QRO4= =DB8A -----END PGP SIGNATURE-----