Patch/Configuration Management, Vulnerability Management

Firefox 37.0.1 disables features after vulnerabilities found


The March 31 release of Firefox 37 introduced the opportunistic encryption feature to the browser. By Friday that feature had been disabled in a 37.0.1 update after a researcher found a critical vulnerability that could be exploited.

Security researcher Muneaki Nishimura identified the flaw.

“If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server,” according to an advisory. “As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a [MitM], replacing the original certificate with their own.”

Other critical issues addressed in Firefox 37.0.1 included use-after-free vulnerabilities, memory corruption crashes, and miscellaneous memory safety hazards. The update also fixed a flaw in the Android version of the browser that allowed privileged URLs to bypass restrictions.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.