Firefox is vulnerable to a Malicious Add On Attacks. A critical vulnerability which is in the fully patched version of the Mozilla’s Firefox browser that could allow well resourced attackers to launch man-in-the-middle (MITM) impersonation attacks and also affects the Tor anonymity network.
Firefox automatically updates installed add-ons over an HTTPS connection. In order to prevent MITM attacks that leverage misissued certificates, Mozilla also uses a form of certificate pinning.
The Tor Project patched the issue in the browser’s HTTPS certificate pinning system on Friday with the release of its Tor Browser version 6.0.5, while Mozilla still has to patch the critical flaw in Firefox.
The problem is that Mozilla does not use the typical HTTP Public Key Pinning (HPKP). A flaw in its own process has led to pinning for add-on updates becoming ineffective. Since the launch of Firefox 48 on September 10 and Firefox ESR 45.3.0 on September 3.
Attackers can deliver Fake Tor and Firefox Add-on Updates
The vulnerability could allow a man-in-the-middle attacker who is able to obtain a forged certificate for addons.mozilla.org to impersonate Mozilla servers. As a result, deliver a malicious update for No Script, HTTPS Everywhere or other Firefox extensions installed on a targeted computer. The vulnerability also affects the Tor Browser, which is based on Firefox. The Tor Browser is particularly susceptible considering that, unlike Firefox, which might not have any add-ons installed.
Although it would be challenging to obtain a fraudulent certificate for addons.mozilla.org from any one of several hundred Firefox-trusted certificate authorities (CAs). It is within reach of powerful nation states attackers.
The vulnerability was initially discovered Tuesday by a security expert that goes by the name of @movrcx. He described the attacks against Tor, estimating attackers would need US$100,000 to launch the multi-platform attacks.
The theoretical attack situation delineated by Movrcx was initially “mocked as non-credible” by representatives of the Tor Project. However, a number of days once Movrcx’s speech act, man of science Ryan pudding confirmed that the attack worked against each Firefox and therefore the Tor Browser, and elaborated the basis reason for the problem.
Actual Issue resides in Firefox’s Certificate Pinning Procedure
However, in line with a report denote Thursday by freelance security scientist Ryan pudding. This issue also affects Firefox stable versions, though a nightly build version unrolled on september 4 isn’t inclined.
Duff said the particular downside resides in Firefox’s custom methodology for handling “Certificate promise,”. that is completely different from the IETF-approved HPKP (HTTP Public Key Pinning) customary.
Certificate promise is Associate in Nursing HTTPS feature that produces positive the user’s browser accepts solely a selected certificate key for a specific domain or subdomain and rejects all others, preventing the user from being a victim of Associate in Nursing attack created by spoofing the SSL certs.
While not very talked-about, HPKP customary is commonly used on websites that handle sensitive info.
Mozilla is scheduled to unharness Firefox forty nine on September 20, that the team has enough time to deliver a fix. The Tor Project took only 1 day to deal with the flaw when the bug’s speech act went on-line.
Users of Tor Browser ought to update to version vi.0.5, whereas Firefox users ought to disable automatic add-on updates. A default feature within the browser, or ought to think about using a unique browser till Mozilla releases the update.