Mozilla will patch a flaw in Firefox that can be exploited by well-resourced attackers to impersonate the browser's software update servers – and thus inject malicious code into victims' computers.

This vulnerability can, for one thing, be exploited to unmask people using the Tor project's Firefox-based anonymizing web browser.

The security hole "allows an attacker who is able to obtain a valid certificate for addons.mozilla.org to impersonate Mozilla's servers and to deliver a malicious extension update," Tor developer Georg Koppen blogged while announcing version 6.0.5 of the Tor Browser, which addresses the shortcoming.

"This could lead to arbitrary code execution. Moreover, other built-in certificate pinnings are affected as well. Obtaining such a certificate is not an easy task, but it's within reach of powerful adversaries such as nation states."

Security researcher Movrcx detailed exploitation of the flaw here and estimated that attackers would need to burn US$100,000 to successfully man-in-the-middle HTTPS connections from browsers to update servers.

"This attack enables arbitrary remote code execution against users accessing specific clearnet resources when used in combination with a targeting mechanism; such as by passively monitoring exit node traffic for traffic destined for specific clearnet resources," he wrote.

"Additionally this attack enables an attacker to conduct exploitation at a massive scale against all Tor Browser users and to move towards implantation after selected criteria are met - such as an installed language pack, public IP address, DNS cache, stored cookie, stored web history, and so on."

The need to obtain a legitimate TLS certificate for addons.mozilla.org was the cause of the high cost of entry to the attack, something Movrcx says was "difficult to accomplish but not impossible".

He claimed members of the Tor Project did not accept his initial private disclosure.

Independent security researcher Ryan Duff says Firefox used its own weaker version of key pinning which created the attack vector, adding Mozilla had fixed the flaw in the nightly version of its browser.

"Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP," he said. "The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario."

Mozilla will push the fix into its stable release version on September 20. ®