On Metacritic: Dante's Inferno: Not as good as we hoped
BNET Business Network:
BNET
TechRepublic
ZDNet
39 TalkBacks

By Paul Festa
Posted on ZDNet News: Jul 27, 2004 11:46:00 PM

Web surfers eyeing Mozilla-based browsers as a safer alternative might want to wait a week before making the switch.

That's because the Mozilla Foundation, an open-source browser development group in Mountain View, Calif., has acknowledged a pair of serious flaws in the way its browsers handle certificates, the digital documents that let you verify a Web site's identity.

Mozilla said its engineers were caught off-guard by the vulnerabilities, as the code in question dates back from the open-source browser's proprietary progenitor, Netscape.

"The security code has been around for six or seven years, so all the serious bugs got worked out in the Netscape 4.0 time frame," said Chris Hofmann, the Mozilla Foundation's director of engineering. "We haven't seen anything serious in quite some time, so this is a surprise."

The certificate-handling flaws come at an awkward time for the Mozilla Foundation, just as security experts are promoting its browsers, along with Opera and others, as safer alternatives to Microsoft's dominant Internet Explorer software.

While Mozilla and other IE competitors claim to have a fundamentally more trustworthy security model, they have also acknowledged that Microsoft gets targeted for more security exploits simply because it is the market leader.

If Mozilla and other second-tier browsers gain market traction, that dynamic could shift.

The first of the two certificate bugs, posted to the Web and to the Bugtraq security mailing list by researcher Emmanouel Kellinis, could let a malicious Web site author trick a visitor into thinking the site was a trusted site, like that of a bank or mainstream company.

The problem has to do with a standard mechanism for pulling in content from Web sites other than the one the surfer has visited.

Normally, when a trusted Web site pulls in such third-party content, it goes into the browser cache, and the browser alerts the surfer by changing a security icon shaped like a key into a broken key.

But a problem with the Mozilla caching system makes it possible to keep that key unbroken even while importing content from other sites, and for the malicious site to display the security certificates from the trusted site.

That could help a malicious site author convincingly impersonate a trusted site like eBay or the Bank of America, a security situation ripe for credit card or identity theft schemes.

The somewhat less-severe second certificate bug, posted to Mozilla's own Bugzilla bug-tracking system, paves the way for a denial-of-service attack.

Because of the bug, a forged certificate could wind up corrupting an authentic one. As a result, someone visiting the trusted site would be denied access.

Mozilla said it was still deciding whether it would release stand-alone patches or simply issue the fixes with upcoming versions of the browsers. Current Mozilla-based browsers include Mozilla 1.7.1 and Firefox 0.9.2.

Mozilla expects to have either patches or new versions of the browsers available in about a week.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 39 Talkback(s)
Might want to read the headlines
eom (Read the rest)
Posted by: nikoli Posted on: 07/30/04 You are currently: a Guest | | Terms of Use
Before the NBMers weigh in  AbsolutelyNot | 07/27/04
but but but but but  Squawkbox | 07/27/04
Sort of  prong@... | 07/27/04
odd  eLurker | 07/28/04
IE's secutity holes MORE SEVERE than Firefox's  Peter Reaper | 07/29/04
hmmmm  zijiang | 07/27/04
"Many eyes" argument a bit over hyped  betelgeuse68 | 07/27/04
many eyes did not inspect the security model  Harry Butts | 07/28/04
still beats IE by miles....  nikster | 07/27/04
Just wait  PmAc_z | 07/28/04
track record...  ryusen | 07/28/04
This actually shows 'many eyes' at work  Amberhawk | 07/28/04
Wrong  Loverock Davidson | 07/28/04
Need I remind you?  AbsolutelyNot | 07/28/04
I guess so  Loverock Davidson | 07/28/04
yes you are  ryusen | 07/28/04
re: your question  ryusen | 07/28/04
So, what's the score. About 6 to 44,258 ?  BitTwiddler | 07/28/04
Whew! Good thing it's not tied into the OS or anything!  Xunil_Sierutuf | 07/28/04
Mozilla to squash security bugs  Loverock Davidson | 07/28/04
Hey, That's completely Unfair  el1jones | 07/28/04
hell...  ryusen | 07/28/04
Used mainly on Windows  voska | 07/28/04
yeah, IE just puts old exploits back in..  Monkey_MCSE | 07/28/04
wasnt that  eLurker | 07/28/04
a couple had them yes  Monkey_MCSE | 07/28/04
actually, no  eLurker | 07/28/04
if you are talking abotu the "shell"  ryusen | 07/28/04
no  eLurker | 07/28/04
How about the 'other' side  AmusedAtItAll | 07/28/04
I'm not an MS Basher  skeptic tank | 07/28/04
You match the criteria.. now come over to the bash side!  Xunil_Sierutuf | 07/28/04
Any exploits of these vulns?  Eggs Ackley_z | 07/28/04
Astro boy takes to the SKY!!!!!!!!!!!!!!!!!!!!  chiwawa | 07/28/04
Technically  skeptic tank | 07/28/04
Nice that it can affect without being OS reliant, really open  FilledOut | 07/28/04
Hey, don't leave out bashers from Apple  FilledOut | 07/28/04
It'll be fixed before MS fixes IE  CobraA1 | 07/28/04
Might want to read the headlines  nikoli | 07/30/04

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here