Mozilla Firefox Vulnerable To Man-In-The-Middle Attack: Report

by CXOtoday News Desk    Sep 19, 2016

mozilla

Severe vulnerabilities have been discovered in the popular browser Mozilla Firefox. According to reports, critical vulnerability found n the fully-patched version of the Mozilla’s Firefox browser could lead cyber criminals to launch man-in-the-middle (MITM) impersonation attacks and also affects the Tor anonymity network. The company has taken a note of newly discovered vulnerability and assured to patch a flaw. 

The flaw was first noticed by researchers describing the attacks against Tor ahead of the publication of a patch in version 6.0.5.

“That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla’s servers and to deliver a malicious extension update,” online news portal The Register quoted Tor developer Georg Koppen as saying.

“This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it’s within reach of powerful adversaries such as nation states”, he added. 

Security researcher Movrcx detailed the then-zero-day flaw in analysis estimating attackers would need to burn US$100,000 to launch the multi-platform attacks.

“This attack enables arbitrary remote code execution against users accessing specific clearnet resources when used in combination with a targeting mechanism; such as by passively monitoring exit node traffic for traffic destined for specific clearnet resources,” he wrote.

“Additionally this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and to move towards implantation after selected criteria are met - such as an installed language pack, public IP address, DNS cache, stored cookie, stored web history, and so on.”

The need to obtain a legitimate TLS certificate for addons.mozilla.org was the cause of the high cost of entry to the attack, something Movrcx said was “difficult to accomplish but not impossible”.

He claimed members of the Tor Project did not accept his initial private disclosure.

Independent security researcher Ryan Duff who maintains an interest in cross-platform remote code execution says Firefox used its own weaker version of key pinning which created the attack vector, adding Mozilla had fixed the flaw in the nightly version of its browser.

“Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP. The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is by-passable in this attack scenario”, he said. 

Mozilla is scheduled to release Firefox 49 on September 20, so the team has enough time to deliver a fix. The Tor Project took just one day to address the flaw after the bug’s disclosure went online.

Users of Tor Browser should update to version 6.0.5, while Firefox users should disable automatic add-on updates, a default feature in the browser, or should consider using a different browser until Mozilla releases the update.