Security Alerts & News
by Tymoteusz A. Góral

History
#1473 Mozilla plans Firefox fix for same malware vulnerability that bit Tor
Mozilla officials say they'll release a Firefox update on Tuesday that fixes the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser.

The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory. From there, the attacker could deliver a malicious update for NoScript or many other Firefox extensions installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA).

While it probably would be challenging to hack a CA or trick one into issuing the necessary certificate for addons.mozilla.org, such a capability is well within reach of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model. In 2011, for instance, hackers tied to Iran compromised Dutch CA DigiNotar and minted counterfeit certificates for more than 200 addresses, including Gmail and the Mozilla addons subdomain.
Read more
#1476 Facebook page takeover – zero-day vulnerability
#1475 Blizzard hit with DDoS attack disrupting play for gamers
#1474 IKEv1 information disclosure vulnerability in multiple Cisco products
#1473 Mozilla plans Firefox fix for same malware vulnerability that bit Tor
#1472 ORWL PC: The most secure home computer ever
#1471 Structure Security: How much security can you automate?
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12