Security Experts:

Connect with us

Hi, what are you looking for?



Audit Finds No Critical Flaws in Firefox Update System

An audit commissioned by Mozilla for the Firefox update system revealed no critical vulnerabilities and the flaws rated “high severity” were not easy to exploit.

An audit commissioned by Mozilla for the Firefox update system revealed no critical vulnerabilities and the flaws rated “high severity” were not easy to exploit.

Experts at Germany-based X41 spent 27 days analyzing the Firefox Application Update Service (AUS), including its update signing protocol, client code, backend and other components. The audit involved a cryptographic review, fuzzing, pentesting, and manual code analysis.

X41’s audit revealed 14 vulnerabilities, including three issues that based on their CVSS score would be rated as “high severity,” seven “medium” and four “low” flaws. In addition, experts discovered 21 issues that have been described by Mozilla as “side findings,” which are informational.

The most serious of the security holes are related to the use of JavaScript libraries with known vulnerabilities, the lack of validation for cross-site request forgery (CSRF) tokens, and the use of cookies without the “secure” flag. All of these problems affected the backend service that manages updates, which Mozilla has dubbed Balrog.

While these flaws may have normally posed a serious risk, Mozilla pointed out that the actual risk was lowered due to AUS being protected by multiple layers of authentication inside its internal network.

The audit also uncovered some bugs in the code that handles update files, but the cryptographic signatures implemented by Mozilla prevent threat actors from creating malicious update files.

Researchers also discovered some less serious denial-of-service (DoS) bugs, memory corruption issues, and insecure handling of data, but they noted that exploitation was prevented by the need to bypass crypto signatures.

“No issues were identified in the handling of cryptographic signatures for update files,” X41 wrote in its report. “There were no cryptographic signatures on the XML files describing the update files’ location and other metadata. The files were downloaded via HTTPS, but the server certificates or public keys were not pinned.”

Auditors noted that the number of informational bugs was “unusually high” and warned that these should be patched as well, as some of them could turn out to be exploitable and critical.

“In conclusion, the AUS showed good resistance against the actual exploitation of vulnerabilities,” X41 said.

Mozilla has already patched the serious vulnerabilities and is currently working on addressing the less severe issues and the side findings. The organization has made public the full report from X41 and opened the bug tracker where the patching progress can be monitored.

This is not the first security audit commissioned by Mozilla. Last year it hired Cure53 to analyze the Firefox Accounts system.

Related: Mozilla Adding New CSRF Protection to Firefox

Related: Mozilla to Researchers – Stay Away From User Data and We Won’t Sue

Related: Mozilla Appoints New Policy, Security Chief

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.