Subject: Snapshot 1.0.124.2: Mea Culpa

After we released the 1.0.123.10 snapshot yesterday, some observant testers checked the release for the recent FREAK vulnerability, and found that The Linux and Mac versions were vulnerable. 🙁

FREAK is “just” the latest SSL/TLS releated with its own trademarked name (following in the footsteps of Heartbleed, POODLE, Shellshock and others).

It is particularly problematic because it allows an attacker to decrypt all traffic between a client and a secure server, but tricking the client into accepting a weak key from the server.

This problem did not affect the Windows versions, since it is using an SSL/TLS implementation that is not vulnerable, but the Linux and Mac version uses Google’s OpenSSL fork BoringSSL, which was vulnerable until Feburary 26, when Google patched it.

We did patch last week’s TP2 for the FREAK problem, but embarrassingly enough, we forgot to update the normal development code :$

To fix this issue we are posting a new snapshot with this fix, and a few other updates.

Please keep in mind that snapshots are produced directly from the development code, and have not been subjected to a thorough release process like the Technology Preview releases.

Download

Changelog:

  • Added fix in boringSSL for FREAK vulnerability
  • VB-3917 Call correct closeTab action when keyboard closes the tab
  • Hide tooltip properly on mouseout
  • VB-4117 Tab tooltips show up when disabled