Mozilla

Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

A medium case insensitivity credential flaw in ConnectionExists() comparing passwords with strequal() was not fixed given the obscurity and difficulty of the attack.

The remaining bugs were shuttered in seven patches after two vulnerabilities were combined in the largest cURL fix to date.

More fixes are on the way, cURL lead developer and Mozilla engineer Daniel Stenberg says.

"While working on the issues one-by-one to have them fixed we also ended up getting an additional four security issues to add to the set [from] three independent individuals," Stenberg says.

"All these issues [made for] a really busy period and … I could get a short period of relief until the next tsunami hits."

Five Mozilla engineers from the Berlin-based Cure53 team which conducted the 20-day source code audit.

"Sources covering authentication, various protocols, and, partly, SSL/TLS, were analysed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios," the team wrote in the [PDF].

"At the same time, the overall impression of the state of security and robustness of the cURL library was positive."

Stenberg says he applied for the audit fearing a recent run of security vulnerability reports may have pointed to undiscovered underlying problems.

The report was finished 23 September and fixes produced over the ensuing months.

The developer says fewer checks and possible borked patches may result from the decision to audit in secret.

"One of the primary [downsides] is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand," Stenberg says.

"Another is that our test infrastructure is made for and runs only public code [which] can’t really be fully tested until it is merged into the public git repository." ®

Audit vulnerabilities:

  • CRL -01-021 UAF via insufficient locking for shared cookies ( High)
  • CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
  • CRL -01-009 Double - free in krb 5 read _ data () due to missing realloc () check ( High)
  • CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
  • CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
  • CRL -01-007 Double - free in aprintf () via unsafe size _t multiplication ( Medium)
  • CRL -01-013 Heap overflow via integer truncation ( Medium)
  • CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
  • CRL -01-011 FTPS TLS session reuse ( Low)

Sponsored: The state of mobile security maturity


The Register - Security

  • info
  • discussion
  • exploit
  • solution
  • references
Mozilla Firefox Multiple Security Vulnerabilities

Bugtraq ID: 94337
Class: Unknown
CVE: CVE-2016-5292
CVE-2016-9067
CVE-2016-9069
CVE-2016-9068
CVE-2016-9072
CVE-2016-9075
CVE-2016-9077
CVE-2016-5295
CVE-2016-5298
CVE-2016-5299
CVE-2016-9061
CVE-2016-9062
CVE-2016-9070
CVE-2016-9073
CVE-2016-9076
CVE-2016-9063
CVE-2016-9071
CVE-2016-5289
Remote: Yes
Local: No
Published: Nov 15 2016 12:00AM
Updated: Nov 16 2016 12:11AM
Credit: Daniel Browning, Nils, Bob Owen, Kris Maglione, Markus Stange, Holger Fuhrmannek, Jordi Chancel, Ken Okuyama, Daniel D., Abdulrahman Alqabandi, Will Bamberg, Mats Palmgren, Gustavo Grieco, Xiaoyin Liu and Mozilla developers.
Vulnerable: Mozilla Firefox 43.0.2
Mozilla Firefox 43.0.1
Mozilla Firefox 41.0.2
Mozilla Firefox 39.0.3
Mozilla Firefox 37.0.2
Mozilla Firefox 37.0.1
Mozilla Firefox 36.0.4
Mozilla Firefox 31.8
Mozilla Firefox 29.0.1
Mozilla Firefox 28.0.1
Mozilla Firefox 27.0.1
Mozilla Firefox 25.0.1
Mozilla Firefox 24.1.1
Mozilla Firefox 22.0 4917
Mozilla Firefox 19.0.2
Mozilla Firefox 19.0.1
Mozilla Firefox 17.0.10
Mozilla Firefox 17.0.7
Mozilla Firefox 17.0.6
Mozilla Firefox 17.0.5
Mozilla Firefox 17.0.4
Mozilla Firefox 17.0.3
Mozilla Firefox 17.0.2
Mozilla Firefox 16.0.2
Mozilla Firefox 16.0.1
Mozilla Firefox 15.0.1
Mozilla Firefox 13.0.1
Mozilla Firefox 10.0.12
Mozilla Firefox 9.0.1
Mozilla Firefox 3.6.28
Mozilla Firefox 3.6.22
Mozilla Firefox 3.6.13
Mozilla Firefox 3.6.10
Mozilla Firefox 3.6.9
Mozilla Firefox 3.6.8
Mozilla Firefox 3.6.6
Mozilla Firefox 3.6.4
Mozilla Firefox 3.6.3
Mozilla Firefox 3.6.2
Mozilla Firefox 3.6.1
Mozilla Firefox 3.5.16
Mozilla Firefox 3.5.14
Mozilla Firefox 3.5.13
Mozilla Firefox 3.5.10
Mozilla Firefox 3.5.9
Mozilla Firefox 3.5.8
Mozilla Firefox 3.5.7
Mozilla Firefox 3.5.6
Mozilla Firefox 3.5.5
Mozilla Firefox 3.5.4
Mozilla Firefox 3.5.3
Mozilla Firefox 3.5.2
Mozilla Firefox 3.5.1
Mozilla Firefox 3.5
Mozilla Firefox 3.0.18
Mozilla Firefox 3.0.17
Mozilla Firefox 3.0.16
Mozilla Firefox 3.0.15
Mozilla Firefox 3.0.14
Mozilla Firefox 3.0.13
Mozilla Firefox 3.0.12
Mozilla Firefox 3.0.11
Mozilla Firefox 3.0.10
Mozilla Firefox 3.0.9
Mozilla Firefox 3.0.8
Mozilla Firefox 3.0.7
Mozilla Firefox 3.0.6
Mozilla Firefox 3.0.5
Mozilla Firefox 3.0.4
Mozilla Firefox 3.0.3
Mozilla Firefox 3.0.2
Mozilla Firefox 3.0.1
Mozilla Firefox 2.0 20
Mozilla Firefox 2.0 .9
Mozilla Firefox 2.0 .8
Mozilla Firefox 2.0 .7
Mozilla Firefox 2.0 .6
Mozilla Firefox 2.0 .5
Mozilla Firefox 2.0 .4
Mozilla Firefox 2.0 .3
Mozilla Firefox 2.0 .19
Mozilla Firefox 2.0 .17
Mozilla Firefox 2.0 .16
Mozilla Firefox 2.0 .10
Mozilla Firefox 2.0 .1
Mozilla Firefox 1.5.8
Mozilla Firefox 1.5.7
Mozilla Firefox 1.5.6
Mozilla Firefox 1.5.5
Mozilla Firefox 1.5.4
Mozilla Firefox 1.5.2
Mozilla Firefox 1.5.1
Mozilla Firefox 1.5 beta 2
Mozilla Firefox 1.5 beta 1
Mozilla Firefox 1.5 12
Mozilla Firefox 1.5 .8
Mozilla Firefox 1.5
Mozilla Firefox 1.0.8
Mozilla Firefox 1.0.7
Mozilla Firefox 1.0.6
Mozilla Firefox 1.0.5
Mozilla Firefox 1.0.4
Mozilla Firefox 1.0.3
Mozilla Firefox 1.0.2
Mozilla Firefox 1.0.1
Mozilla Firefox 1.0
Mozilla Firefox 0.10.1
Mozilla Firefox 0.10
Mozilla Firefox 0.9.3
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9
Mozilla Firefox 0.8
Mozilla Firefox 0.6.1
Mozilla Firefox 0.0.13
Mozilla Firefox 9.0
Mozilla Firefox 8.0.1
Mozilla Firefox 8.0
Mozilla Firefox 7.0.1
Mozilla Firefox 7.0
Mozilla Firefox 7
Mozilla Firefox 6.0.2
Mozilla Firefox 6.0.1
Mozilla Firefox 6.0
Mozilla Firefox 6
Mozilla Firefox 5.0.1
Mozilla Firefox 5.0
Mozilla Firefox 49.0.2
Mozilla Firefox 49.0.1
Mozilla Firefox 49
Mozilla Firefox 48
Mozilla Firefox 47
Mozilla Firefox 46.0.1
Mozilla Firefox 46
Mozilla Firefox 45.0.2
Mozilla Firefox 45
Mozilla Firefox 44.0.2
Mozilla Firefox 44
Mozilla Firefox 43
Mozilla Firefox 42
Mozilla Firefox 41
Mozilla Firefox 40.0.3
Mozilla Firefox 40
Mozilla Firefox 4.0.1
Mozilla Firefox 4.0
Mozilla Firefox 39
Mozilla Firefox 38
Mozilla Firefox 37
Mozilla Firefox 36.0.3
Mozilla Firefox 36
Mozilla Firefox 35.0.1
Mozilla Firefox 35
Mozilla Firefox 34.0.5
Mozilla Firefox 34
Mozilla Firefox 33.0
Mozilla Firefox 33
Mozilla Firefox 32.0.3
Mozilla Firefox 32.0
Mozilla Firefox 32
Mozilla Firefox 31.8
Mozilla Firefox 31.6
Mozilla Firefox 31.1.0
Mozilla Firefox 31.1
Mozilla Firefox 31.0
Mozilla Firefox 31
Mozilla Firefox 30.0
Mozilla Firefox 30
Mozilla Firefox 3.6.7
Mozilla Firefox 3.6.27
Mozilla Firefox 3.6.26
Mozilla Firefox 3.6.25
Mozilla Firefox 3.6.24
Mozilla Firefox 3.6.23
Mozilla Firefox 3.6.21
Mozilla Firefox 3.6.20
Mozilla Firefox 3.6.19
Mozilla Firefox 3.6.18
Mozilla Firefox 3.6.17
Mozilla Firefox 3.6.16
Mozilla Firefox 3.6.15
Mozilla Firefox 3.6.14
Mozilla Firefox 3.6.12
Mozilla Firefox 3.6.11
Mozilla Firefox 3.6 Beta 3
Mozilla Firefox 3.6 Beta 2
Mozilla Firefox 3.6 A1 Pre
Mozilla Firefox 3.6
Mozilla Firefox 3.5.19
Mozilla Firefox 3.5.18
Mozilla Firefox 3.5.17
Mozilla Firefox 3.5.15
Mozilla Firefox 3.5.12
Mozilla Firefox 3.5.11
Mozilla Firefox 3.1
Mozilla Firefox 3.0.19
Mozilla Firefox 3.0
Mozilla Firefox 29.0
Mozilla Firefox 29
Mozilla Firefox 28.0
Mozilla Firefox 28
Mozilla Firefox 27.0
Mozilla Firefox 27
Mozilla Firefox 26.0
Mozilla Firefox 26
Mozilla Firefox 25.0
Mozilla Firefox 24.1
Mozilla Firefox 24.0
Mozilla Firefox 23.0.1
Mozilla Firefox 23.0
Mozilla Firefox 22.0
Mozilla Firefox 21.0
Mozilla Firefox 20.0.1
Mozilla Firefox 20.0
Mozilla Firefox 2.0.0.21
Mozilla Firefox 2.0.0.2
Mozilla Firefox 2.0.0.19
Mozilla Firefox 2.0.0.18
Mozilla Firefox 2.0.0.15
Mozilla Firefox 2.0.0.14
Mozilla Firefox 2.0.0.13
Mozilla Firefox 2.0.0.12
Mozilla Firefox 2.0.0.11
Mozilla Firefox 2.0 RC3
Mozilla Firefox 2.0 RC2
Mozilla Firefox 2.0 Beta1
Mozilla Firefox 2.0 beta 1
Mozilla Firefox 2.0 8
Mozilla Firefox 2.0 .9
Mozilla Firefox 2.0 .7
Mozilla Firefox 2.0 .6
Mozilla Firefox 2.0 .5
Mozilla Firefox 2.0 .4
Mozilla Firefox 2.0 .10
Mozilla Firefox 2.0 .1
Mozilla Firefox 2.0
Mozilla Firefox 19.0
Mozilla Firefox 18.0.2
Mozilla Firefox 18.0.1
Mozilla Firefox 18.0
Mozilla Firefox 17.0.9
Mozilla Firefox 17.0.8
Mozilla Firefox 17.0.11
Mozilla Firefox 17.0.1
Mozilla Firefox 17.0
Mozilla Firefox 16.0
Mozilla Firefox 16
Mozilla Firefox 15.0
Mozilla Firefox 15
Mozilla Firefox 14.01
Mozilla Firefox 14.0.1
Mozilla Firefox 14.0
Mozilla Firefox 14
Mozilla Firefox 13.0
Mozilla Firefox 12.0 Beta6
Mozilla Firefox 12.0
Mozilla Firefox 11.0
Mozilla Firefox 10.0.9
Mozilla Firefox 10.0.8
Mozilla Firefox 10.0.7
Mozilla Firefox 10.0.6
Mozilla Firefox 10.0.5
Mozilla Firefox 10.0.4
Mozilla Firefox 10.0.3
Mozilla Firefox 10.0.2
Mozilla Firefox 10.0.11
Mozilla Firefox 10.0.10
Mozilla Firefox 10.0.1
Mozilla Firefox 10.0
Mozilla Firefox 10
Mozilla Firefox 1.8
Mozilla Firefox 1.5.3
Mozilla Firefox 1.5.0.9
Mozilla Firefox 1.5.0.7
Mozilla Firefox 1.5.0.6
Mozilla Firefox 1.5.0.5
Mozilla Firefox 1.5.0.4
Mozilla Firefox 1.5.0.3
Mozilla Firefox 1.5.0.2
Mozilla Firefox 1.5.0.11
Mozilla Firefox 1.5.0.10
Mozilla Firefox 1.5.0.1
Mozilla Firefox 1.4.1
Mozilla Firefox 0.9 Rc
Mozilla Firefox 0.7
Mozilla Firefox 0.6
Mozilla Firefox 0.5
Mozilla Firefox 0.4
Mozilla Firefox 0.3
Mozilla Firefox 0.2
Mozilla Firefox 0.1
Not Vulnerable: Mozilla Firefox 50


SecurityFocus Vulnerabilities

Mozilla announced it will remove Chinese certificate authority WoSign from its list of trusted certificate issuers for one year following an investigation into "unacceptable" behavior by the CA.

Mozilla detailed 14 different issues arising from WoSign's activities since the start of 2015, including improperly issuing backdated SHA-1 certificates to avoid blocks on using the deprecated algorithm, lack of qualified audits and violations of the CA/Browser Forum industry group's Baseline Requirements. WoSign also apparently purchased another trusted certificate authority, Israel-based StartCom, last year, but violated Mozilla's CA Certificate Maintenance Policy by not disclosing the change in ownership until this month.

"Mozilla's CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA," Mozilla wrote in the report of its investigation into WoSign. "Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands."

Craig Young, computer security researcher at Tripwire's Vulnerability and Exposures Research Team, told SearchSecurity that Mozilla made the right call to remove WoSign as a trusted CA. "Mozilla has also outlined multiple ways in which WoSign's domain ownership verification processes have been flawed and these issues were not satisfactorily remediated by the CA," Young said. "This is a tremendously dangerous example because it could in fact lead to real world attacks which subvert the SSL ecosystem. Making sure that only sufficiently authorized individuals are able to obtain trusted certificates for a particular web property is probably the most fundamental responsibility for a CA."

"The certificate system is based on trust, and without it, the system could collapse," Ryan Linn, director of advanced threats and countermeasures and director of security North America at Nuix, a cybersecurity firm based in Sydney, Australia, told SearchSecurity. "The lock icon on the browser indicates that the certificate for a website is trusted and that the issuer of that certificate has done due diligence to make sure that the site is legitimate. While the speculation is that this certificate authority lied about when certificates were created, how do we know we can trust that they are doing other things they say they are?"

"The public key infrastructure used to secure encrypted web traffic is heavily dependent on the expectation that trusted certificate authorities can in fact be trusted," Young said. "Mozilla has lodged some serious accusations against WoSign indicating that they in fact cannot be trusted. Mozilla has released extensive research which indicates that numerous certificates were issued by WoSign in violation of the ban on SHA-1. The use of SHA-1 makes it more likely that an attacker could forge a fake certificate that would still be trusted by browsers."

Although purchasing another trusted certificate authority "is by no means illegal, Mozilla's program requirements say that a change of CA ownership must be disclosed," Mozilla wrote. "In this case, that was not done -- and in fact, the change was directly denied a few months after it happened."

WoSign's lack of forthrightness about its acquisition of StartCom at the end of 2015 became a major issue, as Mozilla reported there was "technical evidence that around a month and a half after the acquisition, StartCom issuances switched to using WoSign's infrastructure -- either the same instance of it, or their own instance." WoSign announced the acquisition in a press release earlier this month.

The Mozilla plan for the sanctions on WoSign and StartCom is to "distrust only newly-issued certificates and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses."

"Most users won't see any impact," Linn said. "Mozilla isn't invalidating all of the CAs certificates either, they are only invalidating newly issued certificates with weak encryption from this one CA. The big impact will be for companies that purchased certificates with backdated 'notBefore' field. Those companies will have to have certificates reissued or else they risk warnings in the browser that their site is not secure."

Mozilla plans to distrust the CAs for a minimum of one year, after which the CAs could be readmitted to the Mozilla trust program if they meet a set of conditions: a "Point-in-Time Readiness Audit" and a full code security audit of their infrastructure, both to be submitted by auditors agreed to by Mozilla; 100% embedded certificate transparency for all issued certificates; and successful completion of the normal process.

The report also noted that since that date is chosen by the issuing CA, it would be possible for WoSign or StartCom to backdate certificates in order to evade the restriction -- something that WoSign had done in the past.

"However, many eyes are on the Web PKI and if such additional backdating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots," the report warned.

Mozilla will also no longer accept audits carried out by WoSign's auditors, Ernst & Young (Hong Kong), because they "failed to detect multiple issues they should have detected."

Yet to be determined is the amount of lead time necessary before Mozilla acts to remove WoSign from its trust program, as well as whether WoSign and StartCom will be allowed to reapply for the program using the same roots.

Next Steps

Find out more about how public key pinning can help reduce lack of trust in certificate authorities.

Learn about how to stop forged certificates from trusted vendors.

Read about what happened when Google, Mozilla and Microsoft revoked unauthorized TLS certificates from a Chinese certificate authority.


SearchSecurity: Security Wire Daily News

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Mozilla Wants to Drop WoSign as Trusted CA

September 27, 2016 , 2:51 pm

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

WordPress Update Resolves XSS, Path Traversal Vulnerabilities

September 8, 2016 , 12:23 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Threatpost | The first stop for security news

Mozilla wants to kick Chinese certificate authority (CA) WoSign out of its trust program.

As well as being worried about the certs issued by WoSign, Mozilla accuses the company of buying another CA, StartCom, without telling anyone.

In this lengthy analysis posted to Google Docs, Mozilla says its certificate wonks have "... lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA."

That investigation follows on from a huge number of issues Mozilla outlines here.

Those issues include WoSign's notorious error of issuing a cert for GitHub to a university student.

The Mozilla engineers' report revolves around SHA-1 certificates. SHA-1 has been regarded as insecure for years and is therefore being deprecated by all major browsers.

As part of its deprecation process, Mozilla treats new SHA-1 certs as invalid unless the issuing CA completes an approval process – and the report says both WoSign and StartCom fudged the process by backdating new SHA-1s to make it seem they were issued before the January 1, 2016 ban.

It accuses WoSign of acquiring Israeli StartCom without disclosing the change of ownership, which “which we believe violates section 5 of the Mozilla CA Certificate Maintenance Policy”.

Although its media release says StartCom remains independent of WoSign, Mozilla says the former is using the latter's infrastructure to issue certs.

As an example of the backdating, Mozilla's investigation documents certificates issued to Australian payments processor Tyro. It nominates a StartCom SHA-1 certificate logged into Google's Certificate Transparency project in June this year, but which Mozilla believes was backdated by StartCom.

The Register has tried to contact Tyro about this certificate.

There's also a smackdown for WoSign's auditors, the Hong Kong office of Ernst & Young, which is says “failed to detect multiple issues they should have detected”.

Mozilla says it wants to “distrust only newly-issued certificates to try and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses”.

Mozilla is seeking public comment on the issue, in particular to help decide when to implement its proposed ban, and whether WoSign or StartCom need to create new roots before they re-apply to be trusted again.

Interestingly, WoSign issued a media release in China (you'll need Google Translate for this link) at the beginning of last week, announcing it completed its equity investment in StartCom on September 19. ®

Sponsored: IBM FlashSystem V9000 product guide


The Register - Security

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm


Threatpost | The first stop for security news

Original release date: August 03, 2016

Mozilla has released security updates to address multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 48
  • Firefox ESR 45.3

Users and administrators are encouraged to review the Mozilla Security Advisories for Firefox and Firefox ESR and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No


US-CERT Current Activity