Mozilla has fixed several security issues in the update system of Firefox, after an external security audit. The Firefox update system should be secure to prevent that users receive malicious updated through man-in-the-middle attacks or hacked update servers.
The security audit took place earlier this year, took 27 days and was performed by four security researchers from the German X41 D-SEC. They analyzed both the back-end service that distributes the updates (Balrog) and the client code that actually performs the installation of the update in the browser. They e.g performed a cryptographic review of the update signing protocol and a manual review of all code related to updates.
The researchers didn’t find any critical vulnerabilities, but they did find some vulnerabilities they classified from low to high. They found three vulnerabilities ranked as high, all of them located in the Balrog interface. One of the three was a Cross-Site Request Forgery (CSRF) vulnerability that in the worst case allowed an attacker to perform unauthorized administrator actions.
All found vulnerabilities have been fixed and Mozilla has made the report (PDF) publicly available.