CVE-2016-9064
Mozilla: Addons update must verify IDs match between current and new versions (MFSA 2016-89, MFSA 2016-90)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update. This vulnerability affects Firefox ESR < 45.5 and Firefox < 50.
Las actualizaciones de add-ons no verifican si el ID de add-on en el paquete firmado coincide con el ID del add-on que se está ejecutando. Un atacante que pueda realizar un ataque Man-in-the-Middle (MitM) en la conexión del usuario al servidor de actualización y superar la protección de asignación de certificados podría proporcionar un add-on maliciosamente firmado en lugar de una actualización válida. La vulnerabilidad afecta a Firefox ESR en versiones anteriores a la 45.5 y Firefox en versiones anteriores a la 50.
A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update.
Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, Markus Stange, Olli Pettay, Ehsan Akhgari, Gary Kwong, Tooru Fujisawa, and Randell Jesup discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. A same-origin policy bypass was discovered with local HTML files in some circumstances. An attacker could potentially exploit this to obtain sensitive information. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-10-27 CVE Reserved
- 2016-11-16 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/94336 | Third Party Advisory | |
| http://www.securitytracker.com/id/1037298 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1303418 | 2018-08-01 |
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-2780.html | 2018-08-01 | |
| https://security.gentoo.org/glsa/201701-15 | 2018-08-01 | |
| https://www.mozilla.org/security/advisories/mfsa2016-89 | 2018-08-01 | |
| https://www.mozilla.org/security/advisories/mfsa2016-90 | 2018-08-01 | |
| https://access.redhat.com/security/cve/CVE-2016-9064 | 2016-11-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1395060 | 2016-11-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | < 50.0 Search vendor "Mozilla" for product "Firefox" and version " < 50.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | < 45.5.0 Search vendor "Mozilla" for product "Firefox Esr" and version " < 45.5.0" | - |
Affected
| ||||||