Latest version fixes recent problems in SSL certificate handling

Aug 21, 2009 12:59 GMT  ·  By

Two weeks after Moxie Marlinspikes and Dan Kaminsky revealed null byte SSL exploits in Mozilla software, the recent security update from the Thunderbird crew comes to completely fix Mozilla's SSL certificate handling problems. Previous security updates patched the Firefox browser (3.5.2 and 3.0.13), and can be found here.

With the disclosures made by Kaminsky and Marlinspikes at the Black Hat convention at the end of July, security experts at Mozilla went into high gear to fix the loopholes left in SSL certificate handling. It seemed that, previously, an attacker could have passed a null argument to an SSL certificate to trick Thunderbird (and Firefox also) into thinking it was from another source.

As H-Security explained in its article, certificates from www.paypal.com\0.thoughtcrime.org and www.paypal.com would have been treated the same, even if it's obvious that one is corrupted. Using this simple method, hackers would have been able to intercept any client – server conversations and acquire the information transmitted through the secure channel.

Even more dangerous would have been if an attacker had used this vulnerability to attack Mozilla itself, since all security updates are made through an SSL channel. Third-party providers would have simply and without any problem distributed malicious software as regular Mozilla products.

With this release, Mozilla Thunderbird should be immune to future null byte poisoning, and any other problems or incidents should be reported to the Thunderbird online bug tracker.

As a curiosity, the Firefox security update was released a few days after the bug was detected. On the other hand, the Thunderbird SSL certificate security patch was launched after three weeks since the Black Hat presentation in which Kaminsky and Marlinspikes made their research announcement.

The Thunderbird security upgrade 2.0.0.23 can be downloaded from this link.

Thunderbird is an open-source, cross-platform mail client and a news reader for most modern operating systems including Windows, Macintosh and Linux. The 2.0.0.23 version includes 39 languages packs, for a personal experience with one of the world's best emailing clients.