Mozilla Firefox NULL字符CA SSL证书验证安全绕过漏洞

Bugraq ID: 35888
CVE ID：CVE-2009-2408

Mozilla Firefox是一款开放源代码的WEB浏览器。
Mozilla Firefox不正确验证签名CA证书中的域名，远程攻击者可以利用漏洞通过伪造证书进行中间人攻击。
如果构建的一个恶意证书其公用名包含NULL字符，并能正确获得合法签名被浏览器信任，那么攻击者可以使用这个证书代替合法证书进行中间人攻击，获得敏感信息或进行其他攻击。

Mozilla Network Security Services (NSS) 3.12.2
Mozilla Network Security Services (NSS) 3.11.3
Mozilla Network Security Services (NSS) 3.9.2
Mozilla Network Security Services (NSS) 3.9

• Mozilla Browser 1.5
  Mozilla Network Security Services (NSS) 3.8
• Galeon Galeon Browser 1.2.13
• Mozilla Browser 1.4.1
• Mozilla Browser 1.4.1
• Mozilla Browser 1.4 b
• Mozilla Browser 1.4 b
• Mozilla Browser 1.4 a
• Mozilla Browser 1.4 a
• Mozilla Browser 1.4
• Mozilla Browser 1.4
  Mozilla Network Security Services (NSS) 3.7.7
  Mozilla Network Security Services (NSS) 3.7.5
  Mozilla Network Security Services (NSS) 3.7.3
  Mozilla Network Security Services (NSS) 3.7.2
  Mozilla Network Security Services (NSS) 3.7.1
  Mozilla Network Security Services (NSS) 3.7
  Mozilla Network Security Services (NSS) 3.6.1
  Mozilla Network Security Services (NSS) 3.6
  Mozilla Network Security Services (NSS) 3.6
  Mozilla Network Security Services (NSS) 3.5
  Mozilla Network Security Services (NSS) 3.4.2
  Mozilla Network Security Services (NSS) 3.4.1
  Mozilla Network Security Services (NSS) 3.4
  Mozilla Network Security Services (NSS) 3.3.2
  Mozilla Network Security Services (NSS) 3.3.1
  Mozilla Network Security Services (NSS) 3.3
  Mozilla Network Security Services (NSS) 3.2.1
  Mozilla Network Security Services (NSS) 3.2
  Mozilla Network Security Services (NSS) 3.12
  Mozilla Network Security Services (NSS) 3.11
  Mozilla Firefox 3.0.12
  Mozilla Firefox 3.0.11
  Mozilla Firefox 3.0.10
  Mozilla Firefox 3.0.9
  Mozilla Firefox 3.0.8
  Mozilla Firefox 3.0.7 Beta
  Mozilla Firefox 3.0.7
  Mozilla Firefox 3.0.6
  Mozilla Firefox 3.0.5
  Mozilla Firefox 3.0.4
  Mozilla Firefox 3.0.3
  Mozilla Firefox 3.0.2
  Mozilla Firefox 3.0.1
  Mozilla Firefox 3.0 Beta 5
  Mozilla Firefox 3.0
  厂商解决方案
  Mozilla Firefox 3.5不受此漏洞影响，建议用户联系供应商获得升级程序：
  http://www.mozilla.com/en-US/