Mozilla Foundation Security Advisory 2006-58

Auto-update compromise through DNS and SSL spoofing

Announced
September 14, 2006
Reporter
Jon Oberheide
Impact
Moderate
Products
Firefox, Thunderbird
Fixed in
  • Firefox 1.5.0.7
  • Thunderbird 1.5.0.7

Description

The Firefox and Thunderbird auto-update mechanism protects itself against DNS spoofing using SSL; only a site presenting a valid certificate for aus2.mozilla.org will be trusted as a source of update information. Jon Oberheide points out, however, that many users accept unverifiable self-signed certificates without much thought on "low value" sites, and this could be used as the basis of an attack on the update system.

The attacker would have to be in a position to spoof the victim's DNS, causing them to connect to sites of the attacker's choosing rather than the sites intended by the victim. If they gained that control and the victim accepted the attacker's cert for the Mozilla update site, then the next update check could be hijacked and redirected to the attacker's site without detection. The attacker could then send an "update" that consisted of whatever programs they wished.

Workaround

Do not accept unverifiable (often self-signed) certificates as valid. If you must, accept them for the session only, never permanently. If you have approved such a certificate during that session exit the client completely and restart before checking for or accepting automatic updates.

References