Mozilla patches three public Firefox bugs

04.08.2009
Mozilla today patched Firefox 3.5 and Firefox 3.0 to quash three security vulnerabilities, including a pair unveiled last week at Black Hat, and a third Mozilla itself revealed last month.

Firefox 3.0.13, the update to the older browser that Mozilla will drop off the support list in January 2010, includes two bugs, while Firefox 3.5.2 fixes a separate flaw.

The vulnerabilities patched by Firefox 3.0.13 were disclosed last Thursday by Dan Kaminsky of IOActive and a security consultant who calls himself Moxie Marlinspike, at Black Hat in Las Vegas.

Independently, Kaminsky, best known as the discoverer of the , and Marlinspike demonstrated how in browsers' implementation of SSL (Secure Socket Layer), the Web's default encryption protocol.

Attackers could hijack a Web session to steal critical passwords or trick Firefox users into accepting a bogus software update that contained malware.

Firefox 3.5 was already safe from such attacks, since Mozilla's developers had used a newer, more secure version of NSS (Network Security Services), a set of code "libraries" for baking SSL into browsers.