Certificate store corruption vulnerability discovered in Mozilla, Firefox

by Andrew T.

Recently Geffr brought to our attention the discovery of a rare security vulnerability concerning the importing and storing of certificates in Mozilla 1.6/1.7 and Mozilla Firefox.

According to the reporter of the corresponding bug in Mozilla's bug-tracking system,

"Importing a self-made certificate (call it x) with the same DN (but different serial nr) as a built-in CA root cert (called b) overrides the built-in one:
trying to open a SSL page protected by a cert signed by b throws an error -8182 ('certificate presented by xyz.com is invalid or corrupt') -> Denial of Service."

Join our discussion in SillyDog701 Message Centre.


Posted by Andrew Turnbull on July 22, 2004 1:56 PM

more July 2004 stories or Year 2004 stories