With all eyes on the Firefox 4 launch yesterday, updates for Firefox 3 have slipped by almost unnoticed. Mozilla yesterday made available updates for both active branches of the Firefox 3 web browser. Firefox users who are running Firefox 3.6.15 or Firefox 3.5.18 have the option to upgrade their browser to the latest Firefox 3 branch or the newly released Firefox 4 browser.
While it may be tempting to upgrade to Firefox 4 right away, it is often better to test a new browser version before turning the temptation into action. The main reason for waiting is that some extension developers waited for the final Firefox release before starting work on making their extensions compatible with Firefox 4.
Firefox 3.6.16 and 3.5.18 are now available for all supported operating systems and languages. Existing users should receive update notifications during startup. The update check is also available manually from the Help > Check for Updates menu. It is alternatively possible to download the latest version from the Mozilla website directly. The download options are however deeply nested on the site, not as easy to find since Mozilla starting pushing the release of Firefox 4.
Both updates blacklist “a few invalid HTTPS certificates”. A post detailing the issue on the Mozilla Security blog points out that “users on a compromised network could be directed to sites using the fraudulent certificates [to] mistake them for [..] legitimate sites”. It would then be possible to deceive “them into revealing personal information such as usernames and passwords” or “into downloading malware”.
The issue is not Firefox specific, but Mozilla made the decision to protect Firefox users from possible exploits by blacklisting the revoked certificates.
Firefox 3 users should update their web browser as soon as possible, either to the latest Firefox 3 branch releases or the newly released Firefox 4, to protect the browser from possible exploits of the issue.
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter.Related Articles:
Mozilla Releases Firefox 8.0.1Mozilla Releases Fifth Beta Of Firefox 3.6
Mozilla Releases 7th Build Of Firefox 3.6.4
Mozilla Talks Silent Updates, Plans Firefox Service
Mozilla: Firefox 5 Release Means EOL For Firefox 4
Microsoft has just updated Windows with “fake Comodo Certificates’ update.
Great information ilev. So Microsoft, Google and Mozilla have updated. Does anyone know if Opera and Safari did as well?
“[get 'them'] into downloading malware” – Why would someone steal a few certs, to “trick” the victim into installing malware? I think a 0day would be cheaper and more effective.
If Microsoft issued an out-of-cycle update it means that the severty is as a 0-day attack.
Microsoft Security Advisory (2524375)
– Title: Fraudulent Digital Certificates Could Allow Spoofing
– http://www.microsoft.com/technet/security/advisory/2524375.mspx
BTW, Microsoft hasn’t fixed yet a 3 months MHTML security bug.
P.S These certificates affect the following Web properties:
•
login.live.com
•
mail.google.com
•
www.google.com
•
login.yahoo.com (3 certificates)
•
login.skype.com
•
addons.mozilla.org
•
“Global Trustee”