Mozilla is Fixing a Major Flaw in Firefox
Mozilla has announced that it will be patching a flaw in Firefox that if exploited could be used to impersonate the victimâs browser software update server. Doing so would allow attackers to inject malicious code into the victimâs computer. Â Mozilla also stated that the vulnerability can also be used to unmask Tor users.
Tor developer GeorgÂ KoppenÂ stated:
âThe security hole allows an attacker who is able toÂ obtainÂ a valid certificate for addons.mozilla.org to impersonate Mozillaâs servers and to deliver a malicious extension update. This could lead to arbitrary code execution. Moreover, other built-in certificate pinningâs are affected as well. Obtaining such a certificate is not an easy task, but itâs within reach of powerful adversaries such as nation states.â
MovrcxÂ also commented on the security flaw by saying:
âThis attack enables arbitrary remote code execution against users accessing specificÂ ClearnetÂ resources when usedÂ along withÂ a targeting mechanism; such as by passively monitoring exit node traffic for traffic destined for specificÂ ClearnetÂ resources. Additionally, this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and move towards implantation after selected criteriaÂ are met; such as an installed language pack, public IP address, DNS cache, stored cookie and web history, and so on.â
MovrcxÂ went on to say that obtaining a legitimate TLS certificate for addons.mozilla.org was a very hardÂ feat, but not impossible. He also said that Tor Project members didnât support his claims earlier.
Independent Security Researcher Ryan Duff claimed that Firefox used its own weaker rendition of key pinning that created the attack angle, and that Mozilla already fixed the flaw in a nightly version of the browser.
âFirefox uses its own static key pinning method for its own Mozilla certifications instead of usingÂ HPKP.Â EnforcingÂ the static method appearsÂ to beÂ much weaker than theÂ HPKPÂ method andÂ is flawedÂ to the point that it is byÂ passableÂ in its attack scenario,â Duff stated.