Mozilla is going to patch a flaw in Firefox that if used properly, could be used by attackers to pretend to be the browsers software update servers, and inject malicious code into the victim’s computer.
The vulnerability can be exploited to unmask people using the Tor Projects Firefox based, Tor Browser. The hole in security allows an attacker to obtain a valid certificate for addons.mozilla.org to pretend to be the update servers and deliver a malicious extension update.
Georg Koppen, a key developer at The Tor Project, cited this, while announcing the newest version of Tor, which addresses this problem:
“This could lead to arbitrary code execution. Moreover, other built-in certificate pinning’s are affected as well. Obtaining such a certificate is not an easy task, but it’s within reach of powerful adversaries such as nation states. Additionally, this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and to move towards implantation after selected criteria are met, such as an installed language pack, public IP address, DNS cache, stored cookies, stored web history, and so on.”
He also stated that the need to obtain a legitimate TLS certificate for addons.mozilla.org was the cause of the high cost of entry to the attack, something Movrcx says was ‘difficult to accomplish but not impossible’. He went on to state that initially the developers at Tor didn’t believe his claims.
Ryan Duff, an independent security researcher says Firefox used its own weak version of key pinning, which then created the attack vectors. Adding Mozilla had fixed the flaw in the version of its browser.
“Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP,” Duff said. “The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is by-passable in this attack scenario.
Mozilla has pushed the remedy into its stable version, which is to be released September 20th.
If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.
