Firefox to Release a Crucial Fix Tomorrow

Mozilla is going to patch a flaw in Firefox that if used properly, could be used by attackers to pretend to be the browsers software update servers, and inject malicious code into the victim’s computer.

The vulnerability can be exploited to unmask people using the Tor Projects Firefox based, Tor Browser. The hole in security allows an attacker to obtain a valid certificate for addons.mozilla.org to pretend to be the update servers and deliver a malicious extension update.

Georg Koppen, a key developer at The Tor Project, cited this, while announcing the newest version of Tor, which addresses this problem:

“This could lead to arbitrary code execution. Moreover, other built-in certificate pinning’s are affected as well. Obtaining such a certificate is not an easy task, but it’s within reach of powerful adversaries such as nation states. Additionally, this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and to move towards implantation after selected criteria are met, such as an installed language pack, public IP address, DNS cache, stored cookies, stored web history, and so on.”

He also stated that the need to obtain a legitimate TLS certificate for addons.mozilla.org was the cause of the high cost of entry to the attack, something Movrcx says was ‘difficult to accomplish but not impossible’. He went on to state that initially the developers at Tor didn’t believe his claims.

Ryan Duff, an independent security researcher says Firefox used its own weak version of key pinning, which then created the attack vectors. Adding Mozilla had fixed the flaw in the version of its browser.

“Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP,” Duff said. “The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is by-passable in this attack scenario.

Mozilla has pushed the remedy into its stable version, which is to be released September 20th.

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.

30 Comments

  1. JamesCef January 13, 2021
  2. JamesFieds January 15, 2021
  3. Geraldgof January 27, 2021
  4. Robertmiz February 2, 2021
  5. RichardRex February 20, 2021
  6. Marcoslic March 4, 2021
  7. WesleyLip March 5, 2021
  8. Michaelnep March 8, 2021
  9. RandyLot March 8, 2021
  10. RandyLot March 9, 2021
  11. RogerVem March 9, 2021
  12. Michaelnep March 10, 2021
  13. Michaelnep March 10, 2021
  14. JeffreyLusia March 11, 2021
  15. Wayneknipt March 11, 2021
  16. JeffreyLusia March 12, 2021
  17. Wayneknipt March 12, 2021
  18. JeffreyLusia March 12, 2021
  19. Wayneknipt March 13, 2021
  20. JeffreyLusia March 13, 2021
  21. Wayneknipt March 14, 2021
  22. JeffreyLusia March 14, 2021
  23. Wayneknipt March 15, 2021
  24. StanleyOmilm March 16, 2021
  25. RicardoCof March 16, 2021
  26. Marconarie March 16, 2021
  27. JasonNenry April 16, 2021
  28. Jamescip April 17, 2021
  29. Robertovax April 17, 2021
  30. RobertLox April 17, 2021

Leave a Reply