Ad: Manage updates with the Download App
ie8 fix

Browsers forum: Updates to Firefox & Chrome

by: MarkFlax September 2, 2011 1:54 PM PDT

Like this

0 people like this thread

Staff pick

Updates to Firefox & Chrome

by MarkFlax Moderator - 9/2/11 1:54 PM

Both browsers have updates available after the discovery
of a fraudulent DigiNotar SSL certificate being used in Iran as part of a man-in-the-middle attack, Mozilla has now released versions of Firefox 6.0.1, Firefox 3.6.21 and Thunderbird 6.0.1, and Google has released Chrome 13.0.782.218. The updates disable or delete entries for DigiNotar's Certificate Authority. Google also took the opportunity to update the Adobe Flash Player in Chrome and also updated development versions of Chrome.

The impact of the removal of the DigiNotar Root certificate, beyond that of blocking the one (or more) bogus certificates, is unclear, though it may have an impact on users in the Netherlands where DigiNotar operates. For example, the government's DigiD identity management platform uses SSL certificates issued by DigiNotar.

Users will see the updates for Firefox within 24 to 48 hours. Firefox 3.6.x users who wish to install the update manually can download it from the "Older Firefox" page. At the time of writing, according to Mozilla's advisory page, updates for the Aurora and Nightly builds of Firefox have been updated as well, but not the Firefox 7 beta; Thunderbird 7 beta and Firefox for Mobile will be updated soon. Users can also manually check.

Chrome users should see their updates appear automatically, but can also manually update the browser.

Update: Mozilla has also released version 3.1.13 of Thunderbird to revoke the root certificate for DigiNotar.

http://www.h-online.com/security/news/item/Updated-Chrome-and-Firefox-for-fraudulent-Google-certificate-available-1333898.html

Related:
Falsely issued Google SSL certificate in the wild for more then 5 weeks
Rogue Google SSL certificate missed by auditors

Thanks to Carol for providing this information, and for doing all the hard work!

Carol's post about this in the Spyware, viruses and security forum can be found here;

NEWS - August 31, 2011: Updated Chrome and Firefox for fraudulent Google certificate available

And there is further information in that thread.

Mark


Reply
Report offensive post
Email to friend

Brower Makers Update (Again) After DigiNotar CA Compromise

by Carol~ Moderator - 9/7/11 1:52 PM

In Reply to: Updates to Firefox & Chrome by MarkFlax Moderator

From Heise Security:

Browser makers update their DigiNotar disaster updates:

As more details of the damage from the DigiNotar CA compromise are revealed, browser makers are now releasing second updates to their products to remove more untrustworthy certificates. Mobile device users and Mac OS X users are less well served.

Microsoft has updated security advisory 2607712 and announced that it has added the root certificates for DigiNotar Root CA and the DigiNotar PKIoverheid to its Untrusted Certificate Store. The update should appear automatically on most Windows systems but Microsoft has also made immediate download links for the update available for all Windows systems from Windows XP to Windows 7 and Windows 2008. The automatic update is not being performed in the Netherlands at this time at the request of the Dutch government.

Mozilla has released updates for Firefox browser, 6.0.2 and 3.6.22, and the Thunderbird email client, 6.0.2, 7.0 beta and 3.1.14 ; these new updates remove all trust from the DigiNotar CA. Firefox 3.6 and Thunderbird 3.1 users are encouraged to select "Check for Updates" from the Help menu to get the update; other users should see the update arrive automatically in the next 24 hours.

Mobile users and Mac users are less well served. There has been no news of updates for Apple's iOS or Google's Android, meaning the mobile devices that run those operating systems are still vulnerable to man-in-the-middle attacks using the bogus certificates. When Apple do move to release an update though, it should be widely available. Android users will have to wait for each device vendor to release updates for their phones, or move to a custom ROM such as CyanogenMod; a fix is in the process of being implemented for the popular third party ROM. Mac OS X users are also waiting for a security update; despite instructions on how to distrust DigiNotar certificates on the Mac being available, Apple have, so far, remained silent about releasing an automated update.

http://www.h-online.com/security/news/item/Browser-makers-update-their-DigiNotar-disaster-updates-1338144.html

Related: Firefox 6.0.2 fixes yet more DigiNotar certificate fallout
___________________

On-going details will be posted in the following (stickie) thread at the Spyware, Viruses & Security Forum:

Microsoft Security Advisory (2607712)


Was this reply helpful? (2)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close