Mozilla officials say they'll release a Firefox update on Tuesday that fixes the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser.

The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory. From there, the attacker could deliver a malicious update for NoScript or many other Firefox extensions installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA).

While it probably would be challenging to hack a CA or trick one into issuing the necessary certificate for addons.mozilla.org, such a capability is well within reach of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model. In 2011, for instance, hackers tied to Iran compromised Dutch CA DigiNotar and minted counterfeit certificates for more than 200 addresses, including Gmail and the Mozilla addons subdomain.

Read 4 remaining paragraphs | Comments

Trend Micro Smart Protection Server Multiple Security Vulnerabilities
Splunk Web Unspecified Open Redirection Vulnerability
Splunk Web Unspecified Cross Site Scripting Vulnerability
[SECURITY] CVE-2016-5017: Buffer overflow vulnerability in ZooKeeper C cli shell
Splunk Web Unspecified Open Redirection Vulnerability
RETIRED: Apple iOS CVE-2016-4655 Local Information Disclosure Vulnerability
[slackware-security] curl (SSA:2016-259-01)
[SECURITY] [DSA 3669-1] tomcat7 security update

Even if everybody agrees to say that passwords are a weak way to protect access to sensitive or private information, they remainstill today the default method implemented by many online services. A password, as complex as it may be, is easy to stealor leak. Tools like Mimikatz or memory scrappers[1] are common today. For a while, major players on the Internet started to implementtwo-factors authentication (2FA) or multi-factors authentication (MFA). Just to remind you, this authentication mechanism is based on a combination of:
- something you know (a password, a PIN or pass phrase)
- something you have (a token, a smart card)
- something you are (your fingerprint, retina, hand palm, )

From a cost and ease of implementation point of view, the most common combination remains a password and a temporary code or OTP. They are commercial solutions based on physical tokens but today with the explosion of smartphones, the Google Authenticator[2] and compatible applications became the most used platform. Once the application is installed, every time you activate the OTP feature on a compatible website, you scan a QR code and that" />

When available, I always enable OTP on my online accounts (Twitter, Github, Apple, Dropbox, but also on my own resources like my blog or my private ownCloud). On my iPhone, I" />

I cant imagine losing all those tokens! We use password managers for a while (well, I hope you do) but will we need a OTP Manager soon? The other question is: How to safely keep track andbackup your tokens? They are available in your pocket but a smartphoneis easy to loose, to be stolen or broken. Most websites propose a procedure to recover your access if you lost your token but there isnt a unique procedure: Some propose recovery codes (that must also be safely stored somewhere), emails or SMS code (and, guess what, usually the same phone is used to receive the recovery SMS).

Here are some best practices:

  • Always read carefully the recovery procedure
  • Copy / print backup codes
  • Link your account to a mobile phone (to receive SMS)
  • Link your account to a valid and rock-solid email address (not the one provided by your employer)

Personally, what Ido:

  • When the QR code is displayed on the website, I take a screenshot of the code and rename the picture QR_websitename_.png
  • When the Base32 or HEX key is provided, I write them in a text file KEY_websitename.txt
  • Files are zipped, encrypted with my PGP key and stored offline
  • Link the account to a different SIM / phone number that can be used in any old-fashioned phone

Note that some 2FA apps, like Authy, propose a backup solution (usually in the cloud - its up to you to trust it or not). To conclude, OTP passwordsare a good way to protect your accounts but have a good recovery procedure to avoid losing control of your accounts. And you? What how to you address this issue? Share your input!

[1] https://blog.blechschmidt.saarland/memory-recovery/
[2] https://support.google.com/accounts/answer/1066447

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status