Enlargereader comments 3
Share this story
Mozilla officials say they’re investigating whether the fully patched version of Firefox is affected by the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser.
The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory.
From there, the attacker could deliver a malicious update for NoScript or any other Firefox extension installed on a targeted computer.
The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA).
While it probably would be challenging to hack a CA or trick one into issuing the necessary certificate for addons.mozilla.org, such a capability is well within reach of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model.
In 2011, for instance, hackers tied to Iran compromised Dutch CA DigiNotar and minted counterfeit certificates for more than 200 addresses, including Gmail and the Mozilla addons subdomain.
Update early and often
Friday’s advisory from Tor urges users to install an update as soon as possible.
So far, Mozilla officials haven’t followed suit, but a representative said they’re still investigating the vulnerability to see if it affects the current versions of Firefox.
According to a report posted Thursday by researcher Ryan Duff, production versions of Firefox are susceptible, although a nightly build version released on September 4 is not susceptible.
Duff said he was able to reproduce results published Tuesday by a different researcher that showed a Firefox-implemented protection known as “certificate pinning” was ineffective in preventing attacks using forged certificates.
Certificate pinning is designed to ensure that a browser accepts only a specific certificate for a specific domain or subdomain and rejects all others, even if the certificates are issued by browser-trusted authority.
Duff said he wasn’t precisely sure why the Firefox-implemented pinning didn’t catch the forged credentials used in his tests, but he suspects the cause is linked to a form of static key pinning that’s not based on the HTTP Public Key Pinning protocol.
Until Mozilla issues a statement, Firefox users who are concerned they might be targeted by nation-sponsored adversaries should consider using a different browser or, alternately, configuring Firefox to stop automatically accepting extension updates.
Enlargereader comments 3