News

Mozilla fixes man-in-the-middle vulnerability in Firefox

By admin
Spread the love

Mozilla releases an update to Firefox on September 20 that fixes a man-in-the-middle vulnerability. The vulnerability affects add-on users and was patched Friday with the Tor browser, which is based on Firefox and uses add-ons such as Noscript.

The vulnerability in the Firefox and Tor browsers came to light last week through a posting by security researcher Ryan Duff on the Daily Dave-Seclist. The problem is with the add-on update method. Mozilla uses https connections to automatically update the add-ons via addons.mozilla.org and additionally uses certificate pinning to protect against misuse.

Attackers could use unauthorized digital certificates to make it appear that the updating is going through Mozilla’s servers and thus spread malicious updates to the extensions. Certificate pinning should protect against this, but there was a bug in the way Mozilla updated Preloaded Public Key Pinning, causing certificate pinning to stop working for Firefox 48 as of September 10 and for ESR 45.3.0 as of September 3.

Circumvention would still require a digital certificate, and Mozilla doesn’t know if such certificates are in circulation, but the organization says it’s a concern, particularly for Tor users seeking protection from state-sponsored attacks.

The Tor Project itself already released an update to version 6.0.5 of the browser last Friday, Mozilla will follow on Tuesday with an update of the stable version of Firefox.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Brave sells web content as data for AI training

News

Xbox Community CEO Larry ‘Major Nelson’ Hryb is leaving Microsoft after…

News

Firefox beta has support for Nvidia video upscaling technique