Mozilla officials have announced that they plan to push a security update for their Firefox browser on Tuesday, September 20, 2016. This patch fixes the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser.
The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers. From there, the attacker could deliver a malicious update for a Firefox extension installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA).
The attack takes advantage of a Firefox-implemented protection known as “certificate pinning” which is ineffective in preventing attacks using forged certificates. Certificate pinning is designed to ensure that a browser accepts only a specific certificate for a specific domain or subdomain and rejects all others, even if the certificates are issued by browser-trusted authority.
Mozilla has released the following statement:
We investigated this and a fix will be issued in the next Firefox release on Tuesday, September 20. We had fixed an issue with the broken automation on the Developer Edition on September 4, but a certificate pinning had expired for users of our Release and Extended Support Release versions. We will be turning on HPKP on the addons.mozilla.org server itself so that users will remain protected once they have visited the site even if the built-in pins expire. We will be changing our internal processes so built-in certificate pins do not expire prematurely in future releases.
While this may not be a common attack, it is still possible to carry out. Unfortunately, the only mitigation options until the patch is released is to use another browser or configure Firefox to not automatically accept extension updates.