The web browsers that we use, especially that of Mozilla‘s Firefox, are not all that perfect as there are bugs, glitches, and at times vulnerabilities that can be found within the application’s code. However, it has been expected for quite some time now that Firefox has a highly scrutinized flaw within its automated update process for add-ons, particularly speaking the code found within the expiration of certificate pins.
Mozilla Patches Certificate Pinning Vulnerability for Firefox Browser
Mozilla recently sent out a patch that will fix the aforementioned vulnerability. The vulnerability in question allowed cyber attackers to intercept encrypted browser traffic. That’s not all as they can also inject a malicious NoScript extension update which would then let them gain access to remotely execute code. In fact, this flaw has also extended towards the company’s Tor Browser as well. For those who are not in the know, the Tor Browser uses the code based on Firefox. The vulnerability in the Tor Browser was patched last Friday, following the disclosure of the bug from a researcher known as movrck.
As for the flaw found in Mozilla Firefox, that was patched only recently for Firefox 49, as well as in Firefox ESR 45.4. In addition to movrck, the aforementioned flaw was also analyzed by Ryan Duff, a researcher and a former member of the United States Cyber Command. Both of these individuals stated that the exploitation of the known vulnerability can be a challenge. This is because there are circumstances that need to take place first. The attacker would have to steal or forge a TLS certificate, and then insert it themselves in the form of traffic. To do so, cyber attackers would either run malicious Tor exit nodes or they could do so with the use of a man-in-the-middle type of attack.
According to Mozilla, the vulnerability, which is now called as CVE-2016-5284, first occurred in the process that is used to update the Preloaded Public Key Pinning that it releases. Rather than making use of an HTTP Public Key Pinning or HPKP, the browser would then use its own static pins that will expire periodically. However, when talking about this case, the pins that have already expired on the 3rd of September were exposed to this attack for 17-days. The company admitted on Friday with regards to the flaws in its update process, as well as with the pins in question. According to the firm’s senior manager Selena Deckelmann, they did not know about the existence of the malicious certificates in the wild.
Share This on Facebook