Mozilla Fixes Firefox Flaw That Allowed Spoofing of HTTPS Browser Padlock

The Mozilla Foundation fixed a flaw in its Firefox browser that allowed spoofing of the HTTPS secure communications icon, displayed as a padlock in the browser address window. Successful exploitation of the flaw could have allowed a rogue website to intercept browser communications.

The patch was part of the non-profit’s Monday update to Firefox 88 and its corporate Firefox ESR 78.10 browser and its Thunderbird 78.10 email client. In total, Firefox 88 addresses 13 browser bugs, six of which are rated high-severity.

Padlock Bug: False Sense of Security

Tracked as CVE-2021-23998, the secure-lock-icon bug effects both the consumer and corporate versions of Firefox browsers prior to the Monday releases. “Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page,” wrote Mozilla in its security advisory.

Credited for discovering the spoofed secure lock icon is independent researcher Jordi Chancel, who on December 10, 2020 tweeted “I discovered again a new SSL Spoofing Issue (and others variohttps://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23998us security issues last 2 months)”. The vulnerability has a severity rating of moderate, Mozilla reported.

The browser padlock icon, used by all major browsers, indicates a secure communication channel between the browser and the server hosting the website. It indicates the communication is encrypted using HTTPS and utilizes an SSL/TLS certificate.

Six High-Severity Bugs

Other bugs, rated high-severity, are flaws ranging from memory corruption bugs to one that allowed a rogue website to render a malicious JavaScript outside a webpage’s visible content window.

“By utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the webpage’s viewport, resulting in a spoofing attack that could have been used for phishing or other attacks on a user,” Mozilla wrote of the bug tracked as CVE-2021-23996.

Bug hunter Irvan Kurniawan is credited for unearthing two of the high-severity bugs and one moderate flaw fixed in Firefox Monday. One is (CVE-2021-23995) is a bug described as a “use-after-free in responsive design mode”.

“When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code,” wrote Mozilla. Responsive design is a term used to describe how websites automatically adapt to different sized screens

Kurniawan is also credited for finding a use-after-free bug (CVE-2021-23997) that can be triggered by the releasing of a web-based font from the browser’s cache. This bug, like Kurniawan’s previous vulnerability, could be uses by an adversary to target a specific browser and execute remote code.

“Due to unexpected data type conversions, a use-after-free could have occurred when interacting with the font cache. We presume that with enough effort this could have been exploited to run arbitrary code,” Mozilla wrote.

The Mozilla security bulletin is light on the technical specifics of the bug and does not indicate if any of the 13 flaws outlined in its advisory are being exploited in the wild. The relatively mild collection of Firefox fixes stand in contrast to Google and its Chrome browser, which last week rushed patches addressing a zero-day remote code execution (RCE) vulnerability.

Source

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s