Web browser company Mozilla has released a new Firefox update that is able to fix some of the same cross-platform issue, which is a malicious code execution flaw that was also seen in the Tor browser. The news was announced by officials of the company.
The flaw allowed cyber attackers to enter a man in the middle position and would be able to get a forged certificate that would allow them to impersonate the Mozilla servers, according to Tor officials who had warned in the advisory. After getting through this move, the attacker can then deliver a malicious product for the NoScript of various other Firefox extensions which are installed on the targeted computer. The certificate would have to be issued by one of the several hundreds of Firefox trusted certificate authorities.
There is a big challenge in hacking a CA or tricking the certificate authorities into issuing the necessary certificate for the addons.mozilla.org. Such measures can be done by hackers who have state sponsorship, the kind of attackers that were reported in the Tor threat model. For example, back in 2011, hackers who had some ties to Iran were known to compromise the Dutch CA DigiNotar and managed to mint some counterfeit certificates for close to 200 addresses, which included the Gmail and some of the Mozilla add-ons subdomain.
The advisory that was received from Tor urged the Mozilla users to update their browsers as soon as they got it. Soon after Tor released the news, Mozilla officials claimed they were going to take action and heed the advice. A report that was posted by security researcher Ryan Duff, said some of the production versions for the Mozilla Firefox browsers are susceptible to the flaw, though there are some which are perfectly secure.
In his report, Duff said that he had been able to reproduce the results which were seen by another different security researcher, which showed that Firefox implemented protections known as ‘certificate pinning’ had been ineffective in the prevention of some of the forged attacks. The use of certificate pinning methods is made so that they can ensure browsers can only accept some specific certificates for the specific domain or the subdomain, and has the ability to reject any other, even when they are issued by the browser trusted authorities themselves.
Duff also said that the main problem for the failure had been the link to the form of static key pinning which is not based on the HTTP Public Key Pinning Protocol. In more explainable ways, the flaw is as a result of Mozilla failing to extend expiration dates on the static keys list which would force the pinning technology to go unenforced when they expire.
Speaking after receiving the advisory, Mozilla officials said in a statement that users could expect a new update by September 20.
For users who are waiting for the update, using a different browser in the meantime is probably wiser. Getting a good VPN wouldn’t hurt either.