Mozilla has announced that it will be patching a flaw in Firefox that if exploited could be used to impersonate the victim’s browser software update server. Doing so would allow attackers to inject malicious code into the victim’s computer. Mozilla also stated that the vulnerability can also be used to unmask Tor users.
Tor developer Georg Koppen stated:
“The security hole allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla’s servers and to deliver a malicious extension update. This could lead to arbitrary code execution. Moreover, other built-in certificate pinning’s are affected as well. Obtaining such a certificate is not an easy task, but it’s within reach of powerful adversaries such as nation states.”
Movrcx also commented on the security flaw by saying:
“This attack enables arbitrary remote code execution against users accessing specific Clearnet resources when used along with a targeting mechanism; such as by passively monitoring exit node traffic for traffic destined for specific Clearnet resources. Additionally, this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and move towards implantation after selected criteria are met; such as an installed language pack, public IP address, DNS cache, stored cookie and web history, and so on.”
Movrcx went on to say that obtaining a legitimate TLS certificate for addons.mozilla.org was a very hard feat, but not impossible. He also said that Tor Project members didn’t support his claims earlier.
Independent Security Researcher Ryan Duff claimed that Firefox used its own weaker rendition of key pinning that created the attack angle, and that Mozilla already fixed the flaw in a nightly version of the browser.
“Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP. Enforcing the static method appears to be much weaker than the HPKP method and is flawed to the point that it is by passable in its attack scenario,” Duff stated.