Bug that hit Firefox and Tor browsers was hard to spot—now we know why
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Dan Goodin
A recently fixed security
vulnerability that affected both the Firefox and Tor browsers had a
highly unusual characteristic that caused it to threaten users only
during temporary windows of time that could last anywhere from two days
to more than a month.
As a result, the cross-platform, malicious code-execution risk most recently visited users of browsers based on the Firefox Extended Release
on September 3 and lasted until Tuesday, or a total of 17 days. The
same Firefox version was vulnerable for an even longer window last year,
starting on July 4 and lasting until August 11. The bug was scheduled
to reappear for a few days in November and for five weeks in December
and January. Both the Tor Browser and the production version of Firefox
were vulnerable during similarly irregular windows of time.
While the windows were open, the browsers
failed to enforce a security measure known as certificate pinning when
automatically installing NoScript and certain other browser extensions. That meant an attacker who had a man-in-the-middle
position and a forged certificate impersonating a Mozilla server could
surreptitiously install malware on a user's machine. While it can be
challenging to hack a certificate authority or trick one into issuing
the necessary certificate for addons.mozilla.org, such a capability is
well within the means of nation-sponsored attackers, who are precisely
the sort of adversaries included in the Tor threat model. Such an
attack, however, was only viable at certain periods when
Mozilla-supplied "pins" expired.
"It comes around every once in a while," Ryan
Duff, an independent researcher and former member of the US Cyber
Command, told Ars, referring to the vulnerability. "It's weird. I've
never seen a bug that presented itself like that."
Certificate pinning is designed to ensure that
a browser accepts only specific certificates for a specific domain or
subdomain and rejects all others, even if the certificates are issued by
a browser-trusted authority. But because certificates inevitably must
expire from time to time, the pins must periodically be updated so that
newly issued certificates can be accepted. Mozilla used a static form of
pinning for its extension update process that wasn't based on the HTTP Public Key Pinning protocol
(HPKP). Due to lapses caused by human error, older browser versions
sometimes scheduled static pins to expire before new versions pushed out
a new expiration date.
During those times, pinning wasn't enforced.
And when pinning wasn't enforced, it was possible for man-in-the-middle
attackers to use forged certificates to install malicious add-on updates
when the add-on was obtained through Mozilla's add-on site. Mozilla on
Tuesday updated Firefox to fix the faulty expiration pins, and over the
weekend, the organization also updated the add-ons server to make it
start using HPKP. Tor officials fixed the weakness last week with the
early release of a version based on Tuesday's release from Mozilla.
"I’d be lying if I said luck didn’t play a
significant role in the discovery of this bug," Duff wrote in the
above-linked postmortem. "If movrcx had tried his attack before 3 Sept
or after 20 Sept, it would have failed in his tests. It’s only because
he conducted it within that 17 day window that this was discovered."
Comments
Post a Comment