Now Reading
Mozilla Recalls New Features Due to Fatal Security Bug

Mozilla Recalls New Features Due to Fatal Security Bug

by P. H. MadoreApril 9, 2015

Firefox 37 was released on March 31st, but less than a week later, on April 3rd, Mozilla was forced to release a patch that disabled many new features it had instituted.

Opportunistic Encryption

firefox1Mozilla had attempted to implement a security function called opportunistic encryption, which makes it difficult for hackers to monitor client-side communications when accessing servers that do not have their own native encryption. A little less than 60% of the top one million websites online do not use SSL by default. Many argue that they have no need to, as they are simply displaying information, not collecting anything sensitive. But unencrypted connections make it easier for attackers to compromise clients using the websites, and opportunistic encryption is an effort to mitigate this risk.

The Firefox bug was discovered by one of Mozilla’s security researchers, Muneaki Nishimura, and in the report the foundation issued, they described it as a pretty serious problem:

If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.

Testament to the Community

Software development is a risky business, especially when you’re producing one of the world’s most popular web browsers. A mistake like this could have led to serious, unnecessary breaches to user privacy, and could have spelled the end of the Mozilla Foundation as an entity taken seriously. It is a testament to the community that it took less than four days for the flaw to be discovered. It is well-documented that bugs in the production code of much larger organizations, such as Microsoft, have persisted for years without a patch, or worse, releases patches that actually break security even further.

Also read: No Browser is Secure: All Major Browsers Hacked at 2015 Pwn2Own Contest

Further Auditing in Order

Perhaps the past few updates haven’t been fully audited, you may be thinking. And you may be right. Luckily, if you’re a security researcher, you’ve got an opportunity to make some money by finding vulnerabilities and exploits. Just go here, the bounty program, and make up to $3,000 per flaw that you find.

Not the First Major Mozilla Flaw

Like all good software, Mozilla has had its share of bumps in the road. Notably, in 2012, a javascript vulnerability enabled the attacker to escalate to administrator privileges on affected machines. Like the opportunistic encryption bug described here, it didn’t last long.

Images from Shutterstock.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • Gotone Gotoneofthesetoo

    Firefox has sucked for at least 2 years-unexpected crashes/resource hogging. WHY can’t the fumduckers TEST their POS code adequately before pushing the latest release on us? In this piece their own researcher found the problem 4 days after release-why not test more thoroughly PRIOR to release?? I’ve emailed repeatedly and never receive even a canned courtesy response, so eff ’em. Gone back to Opera [which I abandoned ~ 4 years ago because THEY had gotten bloated and buggy back then. So far their newest release is performing very well. If only they all didn’t think that bigger is better/new “features”= improvement. PATCH THE HOLES, DON’T REBUILD THE WHOLE HIGHWAY EVERY 3 MONTHS.