• Security Center
  • Security Advisories
  • Known Vulnerabilities
  • Bug Bounty
  • Security Blog

You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-54

Mozilla Foundation Security Advisory 2012-54

Title: Clickjacking of certificate warning page
Impact: Moderate
Announced: July 17, 2012
Reporter: Matt McCutchen
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 13
  Firefox ESR 10.0.6
  Thunderbird 13
  Thunderbird ESR 10.0.6
  SeaMonkey 2.10

Description

Security Researcher Matt McCutchen reported that a clickjacking attack using the certificate warning page. A man-in-the-middle (MITM) attacker can use an iframe to display its own certificate error warning page (about:certerror) with the "Add Exception" button of a real warning page from a malicious site. This can mislead users to adding a certificate exception for a different site than the perceived one. This can lead to compromised communications with the user perceived site through the MITM attack once the certificate exception has been added.

References

• Mitigate clickjacking of about:certerror
• CVE-2012-1964