Certificate store corruption vulnerability discovered in Mozilla, Firefox
by Andrew T.
Recently Geffr brought to our attention the discovery of a rare security vulnerability concerning the importing and storing of certificates in Mozilla 1.6/1.7 and Mozilla Firefox.
According to the reporter of the corresponding bug in Mozilla's bug-tracking system,
"Importing a self-made certificate (call it x) with the same DN (but different serial nr) as a built-in CA root cert (called b) overrides the built-in one:
trying to open a SSL page protected by a cert signed by b throws an error -8182 ('certificate presented by xyz.com is invalid or corrupt') -> Denial of Service."
Join our discussion in SillyDog701 Message Centre.
Posted by Andrew Turnbull on July 22, 2004 1:56 PM
more July 2004 stories or Year 2004 stories
