SafeUM
Home Blog Services Download Help About Recharge
EN
RU

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
EN
Lang
EN
RU
Archive
TOP Security!
19 Sep 2016

Mozilla plans Firefox fix for same malware vulnerability that bit Tor

Mozilla officials say they'll release a Firefox update that fixes the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser.

The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory. From there, the attacker could deliver a malicious update for NoScript or many other Firefox extensions installed on a targeted computer.

The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA). While it probably would be challenging to hack a CA or trick one into issuing the necessary certificate for addons.mozilla.org, such a capability is well within reach of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model. In 2011, for instance, hackers tied to Iran compromised Dutch CA DigiNotar and minted counterfeit certificates for more than 200 addresses, including Gmail and the Mozilla addons subdomain.

Update early and often

Friday's advisory from Tor urges users to install the update as soon as possible. Shortly after this post went live, Mozilla officials said they planned to followed suit on Tuesday. According to a report posted Thursday by researcher Ryan Duff, production versions of Firefox are susceptible, although a nightly build version released on September 4 is not susceptible.

Duff said he was able to reproduce results published Tuesday by a different researcher that showed a Firefox-implemented protection known as "certificate pinning" was ineffective in preventing attacks using forged certificates. Certificate pinning is designed to ensure that a browser accepts only a specific certificate for a specific domain or subdomain and rejects all others, even if the certificates are issued by browser-trusted authority. Duff said the cause of the failure is linked to a form of static key pinning that's not based on the HTTP Public Key Pinning protocol. More specifically, the failure is the result of Mozilla not properly extending the expiration dates for the static keys list which caused the pinning to go unenforced after they expired.

In a statement issued after this post went live, Mozilla officials issued the following statement:

We investigated this and a fix will be issued in the next Firefox release on Tuesday, September 20. We had fixed an issue with the broken automation on the Developer Edition on September 4, but a certificate pinning had expired for users of our Release and Extended Support Release versions. We will be turning on HPKP on the addons.mozilla.org server itself so that users will remain protected once they have visited the site even if the built-in pins expire. We will be changing our internal processes so built-in certificate pins do not expire prematurely in future releases.

Until Mozilla releases the update, Firefox users who are concerned they might be targeted by nation-sponsored adversaries should consider using a different browser or, alternately, configuring Firefox to stop automatically accepting extension updates.

Tags:
Firefox information leaks Mozilla
Source:
Ars Technica
778
Other NEWS
20 Apr 2018 safeum news imgage Google boots fake Ad blockers from Chrome web store
20 Apr 2018 safeum news imgage Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others
19 Apr 2018 safeum news imgage Critical unpatched RCE flaw disclosed in LG network storage devices
18 Apr 2018 safeum news imgage Apple is planning to launch a news subscription service
18 Apr 2018 safeum news imgage A big Spanish bank’s customers can now use it to transfer money
17 Apr 2018 safeum news imgage How Android phones hide missed security updates from you
16 Apr 2018 safeum news imgage Google is testing self-destructing emails in new Gmail
16 Apr 2018 safeum news imgage In a leaked memo, Apple warns employees to stop leaking information
13 Apr 2018 safeum news imgage WannaCry ransomware sinkhole data now available to organizations
13 Apr 2018 safeum news imgage Apple must pay $502.6 million to VirnetX, federal jury rules
12 Apr 2018 safeum news imgage Vevo’s YouTube account hack hits popular music videos, causes biggest video ever to disappear
11 Apr 2018 safeum news imgage Homeland security to compile database of journalists, bloggers
10 Apr 2018 safeum news imgage US may tie social media to visa applications
6 Apr 2018 safeum news imgage Mark Zuckerberg on Tim Cook’s criticism of Facebook: It’s “extremely glib and not aligned with the truth”
5 Apr 2018 safeum news imgage A robot’s ransom
All news
SafeUM
Confidential Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015