Security Alerts & News
by Tymoteusz A. Góral

History
#1498 Bug that hit Firefox and Tor browsers was hard to spot—now we know why
A recently fixed security vulnerability that affected both the Firefox and Tor browsers had a highly unusual characteristic that caused it to threaten users only during temporary windows of time that could last anywhere from two days to more than a month.

As a result, the cross-platform, malicious code-execution risk most recently visited users of browsers based on the Firefox Extended Release on September 3 and lasted until Tuesday, or a total of 17 days. The same Firefox version was vulnerable for an even longer window last year, starting on July 4 and lasting until August 11. The bug was scheduled to reappear for a few days in November and for five weeks in December and January. Both the Tor Browser and the production version of Firefox were vulnerable during similarly irregular windows of time.

While the windows were open, the browsers failed to enforce a security measure known as certificate pinning when automatically installing NoScript and certain other browser extensions. That meant an attacker who had a man-in-the-middle position and a forged certificate impersonating a Mozilla server could surreptitiously install malware on a user's machine. While it can be challenging to hack a certificate authority or trick one into issuing the necessary certificate for addons.mozilla.org, such a capability is well within the means of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model. Such an attack, however, was only viable at certain periods when Mozilla-supplied "pins" expired.
Read more
#1502 Cisco warns of command injection flaw in Cloud platform
#1501 Don’t plug it in! Scammers post infected USB sticks through letterboxes
#1500 A bite of Python
#1499 More than 840,000 Cisco devices are vulnerable to NSA-related exploit
#1498 Bug that hit Firefox and Tor browsers was hard to spot—now we know why
#1497 SWIFT confirms banks still being targeted, announces mitigation tool
#1496 IoT devices being increasingly used for DDoS attacks
#1495 Future attack scenarios against ATM authentication systems
#1494 Massive web attack hits security blogger
#1493 Malware evades detection with novel technique
#1492 Yahoo is expected to confirm a massive data breach, impacting hundreds of millions of users
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12