Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
New ransomware now being deployed in Log4Shell attacks
Microsoft fixes Windows AppX Installer zero-day used by Emotet
Log4j vulnerability now used by state-backed hackers, access brokers
This image looks very different on Apple devices — see for yourself
Log4j attackers switch to injecting Monero miners via RMI
Facebook disrupts operations of seven surveillance-for-hire firms
McMenamins breweries hit by a Conti ransomware attack
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
firefox
Those using the Mozilla Firefox web browser are left unable to access microsoft.com and its subdomains this week.
Tests by BleepingComputer confirm the issue relates to SSL certificate validation errors. Below we explain what can you do to remedy the issue.
When using Firefox, accessing microsoft.com is not working quite as expected for many around the world.
To confirm, BleepingComputer conducted tests on both Firefox 93.0 and the latest version 95.0 (64-bit) on a macOS BigSur 11.6 device.
Surely enough, on both versions of Firefox, navigating to https://www.microsoft.com/ throws a ‘Secure Connection Failed’ error:
Earlier this week, reports of Firefox users unable to access select Microsoft subdomains also emerged. These included docs.microsoft.com, answers.microsoft.com, and visualstudio.microsoft.com, among others.
BleepingComputer is unable to reproduce the connection issues on all of these subdomains, but we could not connect to developer.microsoft.com, and partner.microsoft.com, at the time of writing.
It is also possible the error only appears on some but not all attempts due to multiple nameservers associated with each domain.
Apparently, the SSL certificate presented by microsoft.com and its subdomains is not good enough for Firefox—we had no issues accessing the tech giant’s websites on Google Chrome and Safari.
Specifically, the error code ‘MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING‘ and the message “The OCSP response does not include a status for the certificate being verified,” help trace down the cause of the issue.
The Online Certificate Status Protocol (OCSP) is a way for browsers and other client-side applications to check if an SSL certificate has been revoked, as an alternative to relying on traditional revocation lists.
When presented with an SSL certificate, client-side applications can connect to the certificate authority (CA) to verify its revocation status.
The error, however, stems from a concept known as OCSP stapling.
OCSP stapling is a means to improve on the original OCSP standard by eliminating the need for client-side applications to query CA servers for checking a certificate’s status. This reduces the cost associated with making an extra lookup and improving the overall performance and security.
Instead of the client-side application having to make one more request to the CA server to validate the X.509 certificate presented by a website, the website itself makes periodic requests to the CA and retrieves an ephemerally valid signed ‘proof’ of the certificate’s validity.
The certificates presented to client-side apps come appended with this signed time-stamped response that can be trivially verified by the client-side application to ascertain the certificate’s status.
If ‘OCSP stapling’ is enabled on an application, such as a web browser, the application can decide whether terminate the secure connection for certificates deemed invalid, based on the response attached to the certificate.
Or, as Mozilla’s Dana Keeler explains it:
OCSP stapling solves these problems by having the site itself periodically ask the CA for a signed assertion of status and sending that statement in the handshake at the beginning of new HTTPS connections. The browser takes that signed, stapled response, verifies it, and uses it to determine if the site’s certificate is still trustworthy. If not, it knows that something is wrong and it must terminate the connection. Otherwise, the certificate is fine and the user can connect to the site.
But, if Microsoft.com’s SSL certificate is otherwise valid, according to Chrome and Safari, why won’t Firefox accept it?
It seems that an 8-year bug in Firefox, or a missing feature, is to blame for the issue.
Firefox did not yet recognize the SHA-2 family of hashes, such as SHA-256, in the CertID fields that are present in OCSP responses it receives.
As such, any certificate containing the SHA-256 hashes, as opposed to the older SHA-1, is deemed invalid and causes Firefox to terminate the connection with the website.
Over the last few hours, Firefox developers have managed to work on a fix that should land in an upcoming version.
A quick workaround to remediate the connection issues is to temporarily disable OCSP stapling in Firefox, as confirmed by BleepingComputer.
The change takes effect almost instantaneously (so no need to look for a ‘save’ button).
You should now be able to browse microsoft.com and its subdomains without any issues.
Once Firefox does release an update to address the cause, navigate to about:config following the aforementioned steps to set OCSP stapling to ‘true’ once again for a secure browsing experience.
Updates:
6:01 AM ET: Upcoming Firefox 95.0.1, 96.0b6, and 91.4.1esr releases are expected to become available later today and resolve the issue.
12:45 PM ET: Firefox release 95.0.1 is now available.
Mozilla Firefox, the first Chromium alternative in the Windows Store
Mozilla blocks malicious add-ons installed by 455K Firefox users
Explore the cloud with this Microsoft Azure certification training
Microsoft to set Windows Terminal as default console in Windows 11
Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
Using the latest Firefox 95 for Linux….I had no problem without making changes to Firefox registry… connecting with https://answers.microsoft.com/en-us/outlook_com/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1
It’s not failing on all attempts I realized due to rotating IP addresses:
“It is also possible the error only appears on some but not all attempts due to multiple nameservers associated with each domain.”

developer.microsoft[.]com fails more often in our tests.

https://twitter.com/Ax_Sharma/status/1471407381108121600
Bug. Should have been fixed 8 years ago. I get it. Mozilla can be awful with fixing bugs they don’t see as an immediate problem. That’s a real problem that should be addressed.

Yet, I don’t see being unable to get to *Microsoft’s* website a huge problem for most of Firefox’s userbase. There’s probably others more likely to be problematic, however.
Firefox updated today

Version 95.0.1, first offered to Release channel users on December 16, 2021
https://www.mozilla.org/en-US/firefox/95.0.1/releasenotes/

Fixed frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error messages when trying to connect to various microsoft.com domains (bug 1745600)

The way I got on is go to google.com then type microsoft.com in the address bar. But then again I don’t go there but very seldom.
Not a member yet? Register Now
Large-scale phishing study shows who bites the bait more often
Sites hacked with credit card stealers undetected for months
To receive periodic updates and news from BleepingComputer, please use the form below.
AdwCleaner
Malwarebytes for Mac
Malwarebytes Anti-Malware
Farbar Recovery Scan Tool
Windows Repair (All In One)
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

You May Also Like

As Twitter removes blue badges for many, phishing targets verified accounts

Convincing Microsoft phishing uses fake Office 365 spam alertsMicrosoft reverses Windows 11’s…

Gmail accounts are used in 91% of all baiting email attacks

AMD fixes dozens of Windows 10 graphics driver security bugsVoid Balaur hackers-for-hire…

Windows 10 21H2 is released, here are the new features

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…

Microsoft patches Excel zero-day used in attacks, asks Mac users to wait

HPE says hackers breached Aruba Central using stolen access keyFBI warns of…