Mozilla has announced that it will be patching a flaw in Firefox that if exploited could be used to impersonate the victim’s browser software update server. Doing so would allow attackers to inject malicious code into the victim’s computer. Mozilla also stated that the vulnerability can also be used to unmask Tor users.
Tor developer Georg Koppen stated:
“The security hole allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla’s servers and to deliver a malicious extension update. This could lead to arbitrary code execution. Moreover, other built-in certificate pinning’s are affected as well. Obtaining such a certificate is not an easy task, but it’s within reach of powerful adversaries such as nation states.”
Movrcx also commented on the security flaw by saying:
“This attack enables arbitrary remote code execution against users accessing specific Clearnet resources when used along with a targeting mechanism; such as by passively monitoring exit node traffic for traffic destined for specific Clearnet resources. Additionally, this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and move towards implantation after selected criteria are met; such as an installed language pack, public IP address, DNS cache, stored cookie and web history, and so on.”
Movrcx went on to say that