Mozilla has patched a very critical flaw in Firefox that allows attackers to pose as a legitimate Firefox update server and implant harmful code into a victim’s computer. Firefox 3.0.13 and 3.5.2 are no longer vulnerable to this attack and the update should automatically run. It would be prudent to check it manually under the Firefox “Help” menu and open the “About” window.
If the bad news about all the new critical iPhone and Mac OS X vulnerabilities announced at BlackHat 2009 weren’t bad enough, there now appears to be a new vulnerability in Apple’s hardware. This type of a hack h0wever isn’t something where you can go into an Apple store and have an Apple “genius” exorcise because once the Apple keyboard is infected and locked; there is no practical way of undoing the damage.
Read the rest and see my video interview with the researcher at DigitalSociety.org
Security researcher Moxie Marlinspike gave one of the more interesting and terrifying presentations at BlackHat 2009 in Las Vegas yesterday. Marlinspike demonstrated how the X.509 digital certificates used by Secure Socket Layer (SSL) to secure online communications such as eCommerce and online banking were was completely broken. This allowed Marlinspike to pose as the Mozilla update server for users on the same local area network such as a hotspot which allows him to distribute malware in the guise of of a Mozilla Firefox update.