If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

update.mozilla.org may be exposed to DNS pollution

RESOLVED WORKSFORME

Status

()

Toolkit
Add-ons Manager
--
critical
RESOLVED WORKSFORME
13 years ago
9 years ago

People

(Reporter: Noam Tamim, Assigned: Ben Goodger (use ben at mozilla dot org for email))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse])

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1

IANAH (H for hacker), but there seems to be an opportunity for hacking in the
extension mechanism: I can only install software from "allowed sites", but what
if some virus/malware has changes my HOSTS file, or someone else has polluted my
DNS? update.mozilla.org (or any other "allowed" site) can be referred to any
other ip address.
There are many possible solutions (I have a few ideas) - but please verify my
concerns before. I'm checking the "security" box in the hope to get quick
[in]validation quietly.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
(Reporter)

Comment 1

13 years ago
Before anyone comments on it, I just what to say that the main problem with this
bug is that it gives, in a way, a false sense of security - something like: "I
only have trusted sites on my list, I am safe".

Comment 2

13 years ago
What's the concrete problem? update.mozilla.org is just a normal website (or
not?), with special privilege to *propose* installations. The user still gets
the scary confirmation dialog. The whitelist was just an additional layer of
protection.

The above is not true, if Firefox makes some other assumption in the code and
implicitly trusts update.mozilla.org. In that case, you would be right, but the
hole would be pretty obvious to anybody who knows the slightest bit about
security (so no need to hide the bug). But I hope that's not the case, because I
hope the Firefox guys know enough about security to not trust http.

If anybody knows for sure, either way, please say so.
Group: security
Whiteboard: [sg:nse]
This is a valid concern that we have already addressed: Access
update.mozilla.org (umo) through https and you can be sure you are talking to
the real deal.

Firefox bases its built-in update checks on information it gets from umo, but it
communicates over SSL, and if updates are available it sends you to the SSL
version of umo. Ditto if you open the extension dialog and click on the "Get
more extensions" link.

If you are surfing on your own and visit the unsecure version of umo then you
are running the same risks millions of people do getting software from
http://download.com.com. DNS spoofing is rare, but Firefox has done what it can
to avoid even that problem by using SSL.

[You can, in fact, install software from any site. Just as you can download an
executable and run it, you can download a .xpi from any site and drop it onto a
browser window to run it. Both actions incur exactly the same risks.]
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WORKSFORME
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.