One of the core components of the Firefox web browser is the integrated updating system. Designed to check for new updates regularly and download & install new updates automatically, it is a core component of the browser.
Mozilla hired German security company X41 D-SEC GMBH to audit the Application Update Service (AUS) that powers automatic Firefox updates. The company’s security researchers analyzed the update component in the Firefox client as well as backend services designed to deliver updates and provide Mozilla staff with management functionality (called Balrog).
The researchers analyzed the source code of the components and used “various methods of penetration testing to assess the integrity of the infrastructure, web applications, and updater clients”.
No critical issues
No critical issues were discovered by the researchers. The researchers did find three vulnerabilities that they rated high, seven that they rated medium, and four that they rated low. In addition, they discovered 21 additional issues “without a direct security impact”.
All vulnerabilities rated with a severity rating of high were found in the management console Balrog which is only accessible on Mozilla’s internal network.
The most serious vulnerability discovered was a Cross-Site Request Forgery (CSRF) vulnerability in the administration web application interface, which might allow attackers to trigger unintended administrative actions under certain conditions.
Other vulnerabilities identified were memory corruption issues, insecure handling of untrusted data, and stability issues (Denial of Service (DoS)). Most of these issues were constrained by the requirement to bypass cryptographic signatures.
No issues were identified in the handling of cryptographic signatures for update files. There were no cryptographic signatures on the XML files describing the update files’ location and other metadata. The files were downloaded via HTTPS, but the server certificates or public keys were not pinned.
The three vulnerabilities rated high are:
- BLRG-PT-18-010: CSRF Token not Validated
- BLRG-PT-18-011: Cookies Without the Secure Flag
Mozilla fixed some of the issues already and is working actively on fixing the remaining issues. The full auditt has been published on Google Drive. It contains detailed information about each of the detected vulnerabilities and further documentation.
A third-party security audit of Firefox’s updating components both in the client and on the backend concluded that security was good. No critical issues were found during the audit and all issues rated high were found in the administrative console only accessible on Mozilla’s internal network.