Firefox Update security audit results published - gHacks Tech News

Firefox Update security audit results published

One of the core components of the Firefox web browser is the integrated updating system. Designed to check for new updates regularly and download & install new updates automatically, it is a core component of the browser.

Mozilla hired German security company X41 D-SEC GMBH to audit the Application Update Service (AUS) that powers automatic Firefox updates. The company's security researchers analyzed the update component in the Firefox client as well as backend services designed to deliver updates and provide Mozilla staff with management functionality (called Balrog).

The researchers analyzed the source code of the components and used "various methods of penetration testing to assess the integrity of the infrastructure, web applications, and updater clients".

No critical issues

firefox update audit

No critical issues were discovered by the researchers. The researchers did find three vulnerabilities that they rated high, seven that they rated medium, and four that they rated low. In addition, they discovered 21 additional issues "without a direct security impact".

All vulnerabilities rated with a severity rating of high were found in the management console Balrog which is only accessible on Mozilla's internal network.

The most serious vulnerability discovered was a Cross-Site Request Forgery (CSRF) vulnerability in the administration web application interface, which might allow attackers to trigger unintended administrative actions under certain conditions.

Other vulnerabilities identified were memory corruption issues, insecure handling of untrusted data, and stability issues (Denial of Service (DoS)).  Most of these issues were constrained by the requirement to bypass cryptographic signatures.

No issues were identified in the handling of cryptographic signatures for update files. There were no cryptographic signatures on the XML files describing the update files’ location and other metadata. The files were downloaded via HTTPS, but the server certificates or public keys were not pinned.

The three vulnerabilities rated high are:

  • BLRG-PT-18-002: Use of Insecure JavaScript LibrariesWith Known Vulnerabilities
  • BLRG-PT-18-010: CSRF Token not Validated
  • BLRG-PT-18-011: Cookies Without the Secure Flag

Mozilla fixed some of the issues already and is working actively on fixing the remaining issues. The full auditt has been published on Google Drive. It contains detailed information about each of the detected vulnerabilities and further documentation.

Conclusion

A third-party security audit of Firefox's updating components both in the client and on the backend concluded that security was good. No critical issues were found during the audit and all issues rated high were found in the administrative console only accessible on Mozilla's internal network.

Summary
Firefox Update security audit results published
Article Name
Firefox Update security audit results published
Description
A third-party security audit of Firefox's updating components both in the client and on the backend concluded that security was good.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Yuliya said on October 10, 2018 at 10:07 am

    They’re auditing the update system because they will force it upon everyone starting with Fx63.
    Now you have to wonder why Firefox, the actual browser, you know that part which you should care about being secure, does not compete anymore with other browsers on pwn2own or other related contests?
    hint: mozilla would lose lots of money

    1. John Fenderson said on October 10, 2018 at 4:56 pm

      @Yuliya: “why Firefox, the actual browser, you know that part which you should care about being secure, does not compete anymore with other browsers on pwn2own or other related contests?”

      It doesn’t? Firefox certainly participated in pwn2own this year…

      1. Yuliya said on October 10, 2018 at 4:57 pm

        They did this year? A couple of years ago they didn’t.

      2. foolishgrunt said on October 10, 2018 at 8:35 pm

        1) Firefox was held out of the 2016 competition only. They have been featured every other year.
        2) In the case of Pwn2Own, it is the contest organizers who decide which software to feature. It was not a case of Mozilla choosing to “not compete.”
        3) The contest organizers also pay the cash prizes for successful exploits, so the browser makers don’t “lose money.”

      3. Yuliya said on October 10, 2018 at 9:28 pm

        Hmm, I remember Google offering some really high amounts of money for Chrome exploits. I kind of doubt those were money from the pwn2own organisers’ pockets. They’d be out of business in no time.
        No one won those money though, whatever kind of exploit Google was rewarding with that sum has not been leveraged that year – I think it was in 2017 or 2016.

    2. Fx0 said on October 11, 2018 at 8:50 am

      > They’re auditing the update system because they will force it upon everyone starting with Fx63.

      That’s not true at all. Don’t spread fake news.

      1. Yuliya said on October 11, 2018 at 10:41 am

        Yes, it is true. You won’t be able to disable the updater anymore as no about:config setting related to the update system no longer has any effect:
        imgur.com/JEhQoqV

      2. Richard Allen said on October 11, 2018 at 1:11 pm

        You can play all the word games you want but there are No Forced Updates after FF v63. Do you not understand the concept of “Not Now” which is plainly visible in your image? And your image is showing a Notification.

        “no about:config setting related to the update system no longer has any effect:”

        Really?

        Your install doesn’t have “Check for updates and let you choose to install them”? — app.update.auto=false

        Have you tried changing the app update interval or the app update url?

      3. Yuliya said on October 11, 2018 at 1:49 pm

        Yes, everything related to update was disabled and every field containing “http” has been blanked.
        Dismissing that popup does not help as it comes back within minutes on all open windows.

  2. Richard Allen said on October 10, 2018 at 10:41 am

    “does not compete anymore with other browsers on pwn2own or other related contests? hint: mozilla would lose lots of money”

    Is that based on fact or is it more like your malware fairy tale? :)

    Any citations?

  3. John C. said on October 10, 2018 at 11:48 am

    I don’t care what Mozilla’s spin doctors apply as euphemistic rationalization for doing this. All they’re doing is going with the old “it’s for your own good” excuse. Surely they realize that anybody with half a brain isn’t buying into it.

    With this, the morphing of Firefox into Google Chrome becomes effectively complete, as far as I’m concerned. IMO, this process started when Google spies Jinghua Zhang and Alex Limi, temporarily began working at Mozilla and with FF ver. 29 shoved the Australis interface down Firefox end users’ collective throats.

    I will NOT allow any program which updates automatically onto any of my systems any more than I will use any operating system (*cough*, *choke*, *W10*) which updates itself automatically. PERIOD.

    1. Jessica said on October 10, 2018 at 12:56 pm

      If users were responsible, automatic updates would still be optional as a general rule. But that isn’t the case.

      1. John Fenderson said on October 10, 2018 at 4:58 pm

        @Jessica

        That’s an awful, insulting, and ethically dubious argument, though. If users don’t want to update, then that’s on them. Everyone has the right to make their own decision even if those decisions are different than others think are wise.

      2. John C. said on October 10, 2018 at 10:04 pm

        Jessica, by your logic everybody should be prevented from doing anything that involves any kind of risk. It’s that kind of thinking that destroys freedom in this world.

    2. Richard Allen said on October 10, 2018 at 1:08 pm

      You’re uninformed if you think FF will only have auto-updates. “Automatically install updates” and “Check for updates and let you choose to install them” will still be choices after v63 is released. And, if you want to use the Enterprise Policy updates can be completely disabled. No need for hysterics.

      “the morphing of Firefox into Google Chrome becomes effectively complete”
      That’s the most ignorant claim I’ve seen today, IMO. Well done sir!

      What pray tell is your solution? Waterfox with all its missing security fixes? Personally, I’d rather friends and family used an up to date browser versus something that can actually put them at risk, especially when most everyone I know is neck deep into social media with all of its inherent security risks.

      Hell, last week my sister-in-law called because she was working from home and had to log into work with a specific browser I had never heard of and with her work config her network connection was even bypassing the hosts file I put in their laptop. She ended up browsing the interwebs with that browser and got the infamous MS Security Alert popup scam she couldn’t close. Point is, the general public needs all the help they can get. Whining about the most used software on a computer being auto-updated for security fixes makes no sense. JMHO. And… you can still opt-out so I don’t understand all the drama.

      1. John C. said on October 10, 2018 at 10:08 pm

        There are no “hysterics” in my post. Nor are there any “ignorant claims” in it. Choice is good. Responsibility rests on the end user and they should NEVER have choice removed from them. People like me, advanced users with over three decades of computer use, should not be treated like the lowest common denominator of sheeple.

        Now, if you’re done insulting me, I’ll move on.

      2. Richard Allen said on October 11, 2018 at 1:32 pm

        @John C.

        “There are no “hysterics” in my post”?…..

        “Mozilla’s spin doctors apply as euphemistic rationalization”

        “the old “it’s for your own good” excuse”

        “anybody with half a brain”

        “Firefox end users’ collective throats”

        “morphing of Firefox into Google Chrome becomes effectively complete”

        “I will NOT allow any program which updates automatically…PERIOD”

        Looks to me like you were implying that FF would only have automatic updates which again is Wrong. Your comment “the morphing of Firefox into Google Chrome becomes effectively complete” shows a complete lack of knowledge IMO. I can name a crapton of differences, you can’t? Is it because you mistakenly think that both Chrome and FF v63+ are forcing their users to update? Well, they are not. Neither one. Even with Chrome it is only updated when I allow it. It’s very easy to setup Chrome to do manual updates, takes less than a minute. And Nightly is also only updated when I allow it. Advanced users with over three decades of computer use would know how to do all this. Right? Anyone that knows even just a little bit about Chrome and Firefox can see how nonsensical it is to say that Chrome and FF are the same, that FF has changed into Chrome.

  4. AxMi-24 said on October 10, 2018 at 11:56 am

    Good check but automatic updates are a curse. They mean that user has no control and, even more importantly, no way to take action in case of poisoned source.

    This new automatic trend is simply turning us into slaves as they can do anything they want without users being able to prevent it.

    1. Anonymous said on October 10, 2018 at 12:57 pm

      But what if Mozilla needs to install urgently another advertising component like Looking Glass ? Remember they’re only thinking about your own good, you can trust them !

      1. Richard Allen said on October 10, 2018 at 1:22 pm

        @another Anonymous coward

        So what is your solution? You have anything constructive to offer let’s hear it.

      2. AxMi-24 said on October 10, 2018 at 5:56 pm

        Solution is package manager type of setup like BSD and linux have. Single step for all updates. It can even be highly aggressive with notifications for security only updates.

        Actually something like that should be forced (technical standard followed by GDPR like fines) for IoT and rest of networked devices. Removing user control is not the best solution. Making it very easy to keep everything updated is!

        PS: this assumes amazing amounts of cryptographic checking, forced detailed change notes, and user control.

      3. Dr Know said on October 10, 2018 at 7:56 pm

        @ AxMi-24 You are making the mistake that many tech competent people make. You’re assuming everyone has the knowledge, skill and desire to meddle with updates.

        Most people just want to use their PC without worrying.
        For people like this, automatic updates are the best method.

        For those with knowledge, they’ll decide what’s best for them.

      4. AxMi-24 said on October 11, 2018 at 9:26 am

        @Dr Know problem is that automatic everything makes you a perfect target. We already know that various government agencies are more than interested in spying on everyone and everything. Automatic “updates”, telemtry, cloud, and similar “features being pushed with the excuse of normal people don’t know computers is turning us all into slaves.

        I’ll much rather have a few security issues here and there due to lack of interest or knowledge on part of the user. It’s about what kind of society we want to live in.
        We are supposed to value personal freedom (at least in the western PR) yet we seem to be pushes on every step to relinquish any chance to make decisions.

      5. Dr Know said on October 11, 2018 at 4:20 pm

        @ AxMi-24 Yet again you’re assuming most people care. They don’t. Just look at how much people post about themselves on social media.

        For the majority of users automatic updates will be their preferred way.

        Most people reading this blog will be far more technically aware than the average user.

      6. AxMi-24 said on October 11, 2018 at 6:57 pm

        @Dr Know I don’t. I’m just saying that drawback of no automatic updates is far better than the drawback from automatic updates and complete loss of control and turning into basically a slave.

        We have seen several attacks on sources used for all kinds of fun things (megas chrome add-on for example). Kinda like it showed to be a very bad idea to have monoculture in agriculture. There is no perfect solution so we end up having to weight drawbacks of all of them.

      7. Anonymous said on October 10, 2018 at 8:18 pm

        The constructive behavior is to insult people who raise awareness about Mozilla’s bad actions.

      8. Richard Allen said on October 10, 2018 at 9:28 pm

        @another Anonymous coward

        Who was insulted? You? If you’re going to be anonymous I can’t make up my own username for you since you don’t care for one?

        Since there are so many I just lump you all into the “another Anonymous coward” group. We’ve got supergirls and superboys and numerous other “warriors” using the same username. I’m not going to try and differentiate between all of you.

        (anonymous: lacking individuality, unique character, or distinction)

      9. Rush said on October 11, 2018 at 8:14 pm

        Mr. Allen, for the record, everyone whom comments are anonymous, or at least suppose to be. One can choose anonymity, or fake name, or real name…everyone is secured by anonymity.

        No need for attacks ad hominem. State your case, listen to reply…reply back….and you’re done. It’s simple, no harm, agree to disagree…and you can be on your way to a sparkling day.

        ~a hundred years from now, it won’t matter.

        Peace

  5. Mark Hazard said on October 10, 2018 at 2:54 pm

    Why did they put the audit on Google Drive? I don’t want to join Google to read it,
    They could have put it on the Mozilla site.

    1. Yuliya said on October 10, 2018 at 4:42 pm

      They probably feel at home there (:
      “https://www27.zippyshare.com/v/lswD2OAi/file.html”

    2. MJ said on October 10, 2018 at 4:52 pm

      Ummmm You don’t need a Google account to read this audit on Google Drive. Maybe you should have tried the link before posting a comment.

      1. Mark Hazard said on October 11, 2018 at 12:43 am

        I did. I didn’t see any way to read it any other way.
        Do you have any constructive suggestions?

      2. Mark Hazard said on October 11, 2018 at 12:53 am

        I revise my previous comment. The link has been changed since I first clicked on it and I can read it now.
        I (somewhat) apologize.

  6. Stealth said on October 10, 2018 at 5:00 pm

    Won’t there be setting in about:config to disable the automatic updating? Anyone that is concerned likely has the know-how to change it. Most users should have auto-updates to close vulnerabilities, since they will almost never update manually.

    1. Yuliya said on October 10, 2018 at 9:39 pm

      No, there isn’t. Even blanked every field containing “http” in it and disabled everything containing the word “update” still has no effect. The only solution is to block access to “aus5.mozilla.org” at the OS level via the hosts file.

      And here’s a list of domains mozilla uses to spread malware to its userbase for anyone who’s interested:

      0.0.0.0 activations.cdn.mozilla.net
      0.0.0.0 aus5.mozilla.org
      0.0.0.0 crash-stats.mozilla.com
      0.0.0.0 detectportal.firefox.com
      0.0.0.0 experiments.mozilla.org
      0.0.0.0 fhr.cdn.mozilla.net
      0.0.0.0 getpocket.cdn.mozilla.net
      0.0.0.0 incoming.telemetry.mozilla.org
      0.0.0.0 input.mozilla.org
      0.0.0.0 install.mozilla.org
      0.0.0.0 onyx_tiles.stage.mozaws.net
      0.0.0.0 qsurvey.mozilla.com
      0.0.0.0 search.services.mozilla.com
      0.0.0.0 self-repair.mozilla.org
      0.0.0.0 telemetry.mozilla.org
      0.0.0.0 telemetry-experiment.cdn.mozilla.net
      0.0.0.0 tiles.services.mozilla.com
      0.0.0.0 token.services.mozilla.com

  7. 420 said on October 11, 2018 at 4:07 pm

    We need an ignore user command so I never have to see any more comments from this guy.

    1. iponymous said on October 11, 2018 at 6:28 pm

      ditto

  8. Hey said on October 12, 2018 at 4:44 am

    Martin, don’t you think it’s time to step in and put an end to this back and forth insulting ?