Mozilla to squash security bugs

As surfers turn to the open-source browser as a more secure option, the Mozilla Foundation acknowledges two serious certificate flaws.

Paul Festa
Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
2 min read

Web surfers eyeing Mozilla-based browsers as a safer alternative might want to wait a week before making the switch.

That's because the Mozilla Foundation, an open-source browser development group in Mountain View, Calif., has acknowledged a pair of serious flaws in the way its browsers handle certificates, the digital documents that let you verify a Web site's identity.

Mozilla said its engineers were caught off-guard by the vulnerabilities, as the code in question dates back from the open-source browser's proprietary progenitor, Netscape.

"The security code has been around for six or seven years, so all the serious bugs got worked out in the Netscape 4.0 time frame," said Chris Hofmann, the Mozilla Foundation's director of engineering. "We haven't seen anything serious in quite some time, so this is a surprise."

The certificate-handling flaws come at an awkward time for the Mozilla Foundation, just as security experts are promoting its browsers, along with Opera and others, as safer alternatives to Microsoft's dominant Internet Explorer software.

While Mozilla and other IE competitors claim to have a fundamentally more trustworthy security model, they have also acknowledged that Microsoft gets targeted for more security exploits simply because it is the market leader.

If Mozilla and other second-tier browsers gain market traction, that dynamic could shift.

The first of the two certificate bugs, posted to the Web and to the Bugtraq security mailing list by researcher Emmanouel Kellinis, could let a malicious Web site author trick a visitor into thinking the site was a trusted site, like that of a bank or mainstream company.

The problem has to do with a standard mechanism for pulling in content from Web sites other than the one the surfer has visited.

Normally, when a trusted Web site pulls in such third-party content, it goes into the browser cache, and the browser alerts the surfer by changing a security icon shaped like a key into a broken key.

But a problem with the Mozilla caching system makes it possible to keep that key unbroken even while importing content from other sites, and for the malicious site to display the security certificates from the trusted site.

That could help a malicious site author convincingly impersonate a trusted site like eBay or the Bank of America, a security situation ripe for credit card or identity theft schemes.

The somewhat less-severe second certificate bug, posted to Mozilla's own Bugzilla bug-tracking system, paves the way for a denial-of-service attack.

Because of the bug, a forged certificate could wind up corrupting an authentic one. As a result, someone visiting the trusted site would be denied access.

Mozilla said it was still deciding whether it would release stand-alone patches or simply issue the fixes with upcoming versions of the browsers. Current Mozilla-based browsers include Mozilla 1.7.1 and Firefox 0.9.2.

Mozilla expects to have either patches or new versions of the browsers available in about a week.