14 DAY TRIAL // Earlier today, we reported about a critical vulnerability in the Firefox codebase that would allow an attacker to pose as Mozilla servers and deliver fake add-on updates to users.
The TOR Browser, which is also based on a version of Firefox, fixed this issue Friday with the release of version 6.0.5. In an announcement published today, Mozilla's Senior Manager of Security Engineering said they would include a fix for this critical bug in Firefox 49, set for release on Tuesday, September 20.
Firefox bug was introduced two weeks ago
The problem at the heart of this issue is the mechanism that Firefox uses to "pin" HTTPS certificates received from servers, which is different from the HPKP industry standard.
An attacker who would manage to obtain a fake certificate signed for mozilla.com domains would be able to deliver malicious add-on updates, without the browser showing any errors that the certificates didn't match the ones pinned inside the user's browser. Firefox would only check for the certificate's domain, but not for the pinned keys.
"Due to flaws in the process we used to update 'Preloaded Public Key Pinning' in our releases, the pinning for add-on updates became ineffective for Firefox release 48 starting September 10, 2016, and ESR 45.3.0 on September 3, 2016," Mozilla explained.
Mozilla servers will rotate pinned certificate keys every day
To prevent future attacks, Mozilla also says it configured the addons.mozilla.com server to refresh the users' pinned certificate keys every day, to increase the difficulty needed to exploit this bug.
While many users deploy Firefox without add-ons and are not impacted, the Tor Browser is distributed with two very crucial add-ons that protect the privacy of its users.
Tor Browser users should update right away, while Mozilla users should disable add-ons and automatic add-on updates until Tuesday.