The March 31 release of Firefox 37 introduced the opportunistic encryption feature to the browser. By Friday that feature had been disabled in a 37.0.1 update after a researcher found a critical vulnerability that could be exploited.
Security researcher Muneaki Nishimura identified the flaw.
“If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server,” according to an advisory. “As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a [MitM], replacing the original certificate with their own.”
Other critical issues addressed in Firefox 37.0.1 included use-after-free vulnerabilities, memory corruption crashes, and miscellaneous memory safety hazards. The update also fixed a flaw in the Android version of the browser that allowed privileged URLs to bypass restrictions.
