Mozilla to Fix Critical Certificate Pinning Issue2016-09-19 12:36 by Daniela
Tags: Mozilla, Tor
Mozilla is expected to release tomorrow a Firefox update that fixes a cross-platform, malicious code-execution vulnerability, which could be used in man-in-the-middle attacks. The Tor Browser, which is also based on a version of Firefox, fixed this issue Friday with the release of version 6.0.5.
"Due to flaws in the process we used to update 'Preloaded Public Key Pinning' in our releases, the pinning for add-on updates became ineffective for Firefox release 48 starting September 10, 2016, and ESR 45.3.0 on September 3, 2016," Mozilla explained.
According to Tor officials, the vulnerability allows an attacker to obtain a forged certificate to impersonate Mozilla servers. Then, the attacker could send a malicious update for NoScript or many other Firefox extensions installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA).
Until the update is released, Firefox users may use a different browser or configure Firefox to stop automatically accepting extension updates.
Read more -here-