Mozilla has patched two vulnerabilities relating to the way browsers interact with SSL certificates. The flaws, which potentially could permit man-in-the-middle attacks, were disclosed by two researchers, Dan Kaminsky and Moxie Marlinspike, in separate presentations at last week's Black Hat conference in Las Vegas. Marlinspike showed how a heap overflow bug could be exploited to present a specially crafted SSL certificate to the user, while Kaminsky revealed a way to obtain a certificate that would work on a victim site. Users are encouraged to download the latest version of Firefox 3.5. — DK
Canada had its various government agencies and financial and transportation industries subjected to distributed denial-of-service attacks by pro-Russian cybercrime operation NoName057(16), according to SecurityWeek.
A hearing ostensibly focused on CISA's CDM and EINSTEIN cybersecurity programs took a detour as witnesses strongly warned Congress that a shutdown could imperil federal cybersecurity efforts.
TechCrunch reports that major payments technology platform Square disclosed that a daylong outage it suffered late last week was prompted by a DNS error and not by a cyberattack. "While making several standard changes to our internal network software, the combination of updates prevented our systems from properly communicating with each other, and ultimately caused the disruption."