Tor web browser users are advised to update it as soon as possible.

    Tor web browser users are advised to update it as soon as possible to the latest version 6.0.5. The new version of the web browser includes fixing a serious Firefox vulnerability with an internal identifier of ESR-45 , which allows attackers who have a valid or fake digital TLS certificate for addons.mozilla.org to install malware remotely via malicious update delivery for NoScript extension.

    This release features important security updates to Firefox including the recently disclosed extension update vulnerability . All users should upgrade as soon as possible.

    Vulnerability itself ( Tor Browser certificate pinning bypass for addons.mozilla.org) allows trained attackers to organize a covert RCE attack on users of the Tor web browser on various platforms, including, Windows, Linux, and OS X.

    That vulnerability allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update, eg for NoScript. This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries (eg nation states).

    Other vulnerabilities of Firefox are used to exploit the vulnerability, for example, the ability to digitally sign extensions based on a fully automatic process. The attack process may consist of the following steps.

    • Develop a malicious extension with the right code for the attackers, and then sign it with Mozilla.
    • Generate a fake digital certificate for addons.mozilla.org, which can pass the verification of any CA from the Firefox repository (this is a very difficult task, but not impossible for state-sponsored attackers).
    • Organize a MitM attack on traffic between addons.mozilla.org and the victim system when updating NoScript.
    • A malicious extension is delivered to the alleged victim instead of his legitimate update.

    We recommend that users upgrade their copy of the web browser to version 6.0.5. You can download it here or on the web page with the distribution directory.

    The vulnerability is described in more detail in the following sources:

    " hackernoon.com
    " seclists.org

    image
    be secure.

    Also popular now: