Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html | |
| http://www.mozilla.org/security/announce/2016/mfsa2016-85.html | release notes |
| https://www.mozilla.org/security/advisories/mfsa2016-86/ | |
| https://blog.mozilla.org/security/2016/09/16/update-on-add-on-pinning-vulnerability/ | third party advisory vdb entry |
| https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95 | technical description |
| http://www.debian.org/security/2016/dsa-3674 | vendor advisory |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1303127 | third party advisory vdb entry issue tracking |
| http://seclists.org/dailydave/2016/q3/51 | third party advisory mailing list |
| https://security.gentoo.org/glsa/201701-15 | vendor advisory |
| http://rhn.redhat.com/errata/RHSA-2016-1912.html | vendor advisory |
| https://www.mozilla.org/security/advisories/mfsa2016-88/ | |
| http://www.securityfocus.com/bid/93049 | vdb entry |
| http://www.securitytracker.com/id/1036852 | vdb entry |