The Firefox and Thunderbird auto-update mechanism protects itself against DNS spoofing using SSL; only a site presenting a valid certificate for aus2.mozilla.org will be trusted as a source of update information. Jon Oberheide points out, however, that many users accept unverifiable self-signed certificates without much thought on “low value” sites, and this could be used as the basis of an attack on the update system.
CPE | Name | Operator | Version |
---|---|---|---|
firefox | lt | 1.5.0.7 | |
thunderbird | lt | 1.5.0.7 |