Firefox 37.0.1 disables features after vulnerabilities found | SC Media
Patch management

Firefox 37.0.1 disables features after vulnerabilities found

April 8, 2015

The March 31 release of Firefox 37 introduced the opportunistic encryption feature to the browser. By Friday that feature had been disabled in a 37.0.1 update after a researcher found a critical vulnerability that could be exploited.

Security researcher Muneaki Nishimura identified the flaw.

“If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server,” according to an advisory. “As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a [MitM], replacing the original certificate with their own.”

Other critical issues addressed in Firefox 37.0.1 included use-after-free vulnerabilities, memory corruption crashes, and miscellaneous memory safety hazards. The update also fixed a flaw in the Android version of the browser that allowed privileged URLs to bypass restrictions.

prestitial ad