Latest Firefox and Thunderbird updates plug CRITICAL SSL vuln
Not 'just another pointless patch', this one's for real
Mozilla Firefox needs patching urgently following the discovery that the open source browser is vulnerable to SSL man-in-the-middle attacks.
The critical bug arises because the Network Security Services (NSS) libraries parser built into the browser is capable of being tricked into accepting forged RSA certificate signatures.
Man-in-the-middle attacks create a means for attackers to impersonate a bank or webmail provider, tricking surfers into handing over logon credentials that can be relayed to the genuine organisation.
Normally surfers would be confronted with a warning that the certificate of the site was invalid, but this would not happen in cases where man-in-the-middle attacks are in play.
Fortunately patches are already available. Firefox ESR 31.1.1, Firefox ESR 24.8.1, Thunderbird 31.1.1, and Thunderbird 24.8.1 have been updated to NSS 220.127.116.11.
Firefox 32.0.3 and SeaMonkey 2.29.1 have been updated to NSS 3.16.5.
It almost goes without saying that all these updates are rated as critical.
The bug was discovered by Antoine Delignat-Lavaud, a security researcher at Prosecco. More details are available in Mozilla's advisory here