New Firefox patches authentication security holes

Two critical problems with how Mozilla's browser handles authentication processes could let an attacker see encrypted data or take over a machine.

Mozilla on Monday released two new versions of Firefox, 3.5.2 and 3.0.13, to patch two critical security holes. You can download the Windows and Mac versions of 3.5.2 from CNET Download.com, or go to Mozilla for the Linux build and Firefox 3.0.13.

"We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a blog posting about the security issue.

The first vulnerability could let an attacker run arbitrary code on a person's computer by sending specially crafted authentication information called certificate.

The second vulnerability, disclosed last week, involves a flaw in certificate authentication technology that could potentially let an attacker gain access to encrypted information or issue a bogus update to Firefox.

About the author

Stephen Shankland has been a reporter at CNET since 1998 and covers browsers, Web development, digital photography and new technology. In the past he has been CNET's beat reporter for Google, Yahoo, Linux, open-source software, servers and supercomputers. He has a soft spot in his heart for standards groups and I/O interfaces.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments