Audit Finds No Critical Flaws in Firefox Update System
12.10.2018 securityweek
Vulnerebility

An audit commissioned by Mozilla for the Firefox update system revealed no critical vulnerabilities and the flaws rated "high severity" were not easy to exploit.

Experts at Germany-based X41 spent 27 days analyzing the Firefox Application Update Service (AUS), including its update signing protocol, client code, backend and other components. The audit involved a cryptographic review, fuzzing, pentesting, and manual code analysis.

X41's audit revealed 14 vulnerabilities, including three issues that based on their CVSS score would be rated as "high severity," seven "medium" and four "low" flaws. In addition, experts discovered 21 issues that have been described by Mozilla as "side findings," which are informational.

The most serious of the security holes are related to the use of JavaScript libraries with known vulnerabilities, the lack of validation for cross-site request forgery (CSRF) tokens, and the use of cookies without the "secure" flag. All of these problems affected the backend service that manages updates, which Mozilla has dubbed Balrog.

While these flaws may have normally posed a serious risk, Mozilla pointed out that the actual risk was lowered due to AUS being protected by multiple layers of authentication inside its internal network.

The audit also uncovered some bugs in the code that handles update files, but the cryptographic signatures implemented by Mozilla prevent threat actors from creating malicious update files.

Researchers also discovered some less serious denial-of-service (DoS) bugs, memory corruption issues, and insecure handling of data, but they noted that exploitation was prevented by the need to bypass crypto signatures.

"No issues were identified in the handling of cryptographic signatures for update files," X41 wrote in its report. "There were no cryptographic signatures on the XML files describing the update files’ location and other metadata. The files were downloaded via HTTPS, but the server certificates or public keys were not pinned."

Auditors noted that the number of informational bugs was "unusually high" and warned that these should be patched as well, as some of them could turn out to be exploitable and critical.

"In conclusion, the AUS showed good resistance against the actual exploitation of vulnerabilities," X41 said.

Mozilla has already patched the serious vulnerabilities and is currently working on addressing the less severe issues and the side findings. The organization has made public the full report from X41 and opened the bug tracker where the patching progress can be monitored.

This is not the first security audit commissioned by Mozilla. Last year it hired Cure53 to analyze the Firefox Accounts system.