Site icon The Mac Security Blog

Mozilla Fixes Multiple Vulnerabilities with Firefox 18

On Tuesday, the Mozilla Foundation released Firefox 18 for Mac OS X 10.6 and later, fixing 21 vulnerabilities (12 critical, 8 high, 1 moderate) that resolve 29 CVEs overall. Most of the critical vulnerabilities resolved in Firefox 18 are related to arbitrary code execution, while the other bug fixes are related to memory corruption or other potentially exploitable security issues.

Among the more notable bugs, detected by the Google Chrome team, was in regards to TURKTRUST mis-issued *.google.com certificate (CVE-2013-0743), a certificate authority in Mozilla’s root program that had mis-issued two intermediate certificates to customers. After Chrome detected and blocked an unauthorized digital certificate for the *google.com domain, the Google Chrome team investigated further and “found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority.” This of course is problematic because anyone who has intermediate certificate authority can use it to create a certificate for any website they wish to impersonate.

Mozilla clarified in its security advisory:

 The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. The issue was resolved by revoking the trust for these specific mis-issued certificates.

Following is a complete list of the resolved vulnerabilities in Firefox 18:

Users can update Firefox using the browser’s internal updater (Firefox > About Firefox > Check for Updates), or you can download the new Firefox from Mozilla’s official site.

Share this: