Mozilla fixes man-in-the-middle vulnerability in Firefox




Mozilla September 20 brings an update for Firefox that a man-in-the-middle leak proof. The vulnerability affects users of add-ons and was closed Friday at the Tor browser, based on Firefox and uses add-ons as Noscript.

The vulnerability in the Firefox and Tor browsers came last week to light through a posting by security researcher Ryan Duff on the Daily Dave-Seclist. The problem with the update method for add-ons. Mozilla uses https connections for automatically updating the add-ons via and additional certificaatpinning used to protect against abuse.

Attackers would include unauthorized use SSL certificates to make it appear that the update is via Mozilla’s servers, and so malicious updates to spread the extensions. Certificaatpinning must protect against this but there was a bug in the way Mozilla Preloaded Public Key Pinning updated, so certificaatpinning not work for Firefox 48 from September 10 and ESR 45.3.0 from September 3rd.

The bypass would still be a SSL certificate are required and it is Mozilla not known that such certificates are in circulation, but according to the organization, it is nevertheless a concern, especially for Tor users who want to be protected by state-sponsored attacks.

The Tor Project itself spent last Friday an update to version 6.0.5 of the browser, Mozilla Tuesday following an update of the stable version of Firefox.


In: Technology & Gadgets Asked By: [15597 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »