Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Does Firefox Windows service check digital signature?
51 views
Skip to first unread message
portft...@gmail.com
Dec 3, 2012, 3:30:26 AM12/3/12
to
Hello,
as the Firefox update system service now installs new versions of Firefox without administrator rights, I was wondering whether it checks that the update has been digitally signed with the correct digital certificate of Mozilla Corporation?
If it did not, it would be a very good attack vector. The attacker would just modify the binary while it is being downloaded or altered the binaries on the server...
Thanks for a reply.
as the Firefox update system service now installs new versions of Firefox without administrator rights, I was wondering whether it checks that the update has been digitally signed with the correct digital certificate of Mozilla Corporation?
If it did not, it would be a very good attack vector. The attacker would just modify the binary while it is being downloaded or altered the binaries on the server...
Thanks for a reply.
portft...@gmail.com
Dec 3, 2012, 3:32:24 AM12/3/12
to
In contrast, in the past we had to confirm the UAC prompt, in which Windows displayed the verified name from the digital certificate. This isn't the case anymore with the update service.
Justin Wood (Callek)
Dec 3, 2012, 5:10:41 AM12/3/12
to portft...@gmail.com
We sign our update files themselve, before they are ever seen by users
-- then the update service checks to be sure that this update is for an
update-channel we support (e.g. so we don't accidentally update a
release user to a nightly build).
THEN it also double-checks the cert that it was signed with, and it has
to match what it expects, otherwise the update doesn't get applied.
I'm not an expert on the code involved, but very smart people thought
this through and used a solution that is quite secure.
--
~Justin Wood (Callek)
portft...@gmail.com
Dec 3, 2012, 5:14:08 AM12/3/12
to portft...@gmail.com
Thanks for the reply. However, I would like to double-check you know this for sure.
Did you read the relevant part of the source code yourself? Or is there a credible reference for your statements on the web?
Thanks!
Did you read the relevant part of the source code yourself? Or is there a credible reference for your statements on the web?
Thanks!
Justin Wood (Callek)
Dec 3, 2012, 7:39:28 AM12/3/12
to portft...@gmail.com
portft...@gmail.com wrote:
> Thanks for the reply. However, I would like to double-check you know this for sure.
>
> Did you read the relevant part of the source code yourself? Or is there a credible reference for your statements on the web?
>
Yes I know this for sure, yes I skimmed the source code, and the
> Thanks for the reply. However, I would like to double-check you know this for sure.
>
> Did you read the relevant part of the source code yourself? Or is there a credible reference for your statements on the web?
>
reference is at mxr.mozilla.org for source code or bugzilla.
Sadly I do not have any of the links handy, and do not have time to redo
my efforts in verification.
[I *double* checked what I remembered was indeed fact before I replied]
--
~Justin Wood (Callek)
Lawrence Mandel
Dec 3, 2012, 11:30:05 AM12/3/12
to Justin Wood (Callek), dev-apps...@lists.mozilla.org
https://bugzilla.mozilla.org/show_bug.cgi?id=481815
https://wiki.mozilla.org/Windows_Service_Silent_Update
Lawrence
Andrew Joakimsen
Dec 3, 2012, 2:05:36 PM12/3/12
to portft...@gmail.com, dev-apps...@lists.mozilla.org
What is the proper way to disable it, so the user does continue to see
the UAC prompt and does not accidentally install any undesired
"update?"
On Mon, Dec 3, 2012 at 3:32 AM, <portft...@gmail.com> wrote:
>
> In contrast, in the past we had to confirm the UAC prompt, in which Windows displayed the verified name from the digital certificate. This isn't the case anymore with the update service.
> _______________________________________________
> dev-apps-firefox mailing list
> dev-apps...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-firefox
the UAC prompt and does not accidentally install any undesired
"update?"
On Mon, Dec 3, 2012 at 3:32 AM, <portft...@gmail.com> wrote:
>
> In contrast, in the past we had to confirm the UAC prompt, in which Windows displayed the verified name from the digital certificate. This isn't the case anymore with the update service.
> dev-apps-firefox mailing list
> dev-apps...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-firefox
Ian Melven
Dec 3, 2012, 2:11:11 PM12/3/12
to Andrew Joakimsen, portft...@gmail.com, dev-apps...@lists.mozilla.org
see https://wiki.mozilla.org/Windows_Service_Silent_Update#Preferences
you will still receive updates, but the service will not be used to install them 'silently'
without the UAC prompt.
thanks
ian
Lawrence Mandel
Dec 3, 2012, 2:15:11 PM12/3/12
to Ian Melven, portft...@gmail.com, dev-apps...@lists.mozilla.org, Andrew Joakimsen
In case anyone wants to share the link, here's a support link with the same information (but formatted a little more nicely):
https://support.mozilla.org/kb/what-mozilla-maintenance-service
Lawrence
https://support.mozilla.org/kb/what-mozilla-maintenance-service
Lawrence
Justin Wood (Callek)
Dec 4, 2012, 4:25:17 AM12/4/12
to Andrew Joakimsen
Andrew Joakimsen wrote:
> What is the proper way to disable it, so the user does continue to see
> the UAC prompt and does not accidentally install any undesired
> "update?"
>
Options->Advanced->Update
> What is the proper way to disable it, so the user does continue to see
> the UAC prompt and does not accidentally install any undesired
> "update?"
>
But I highly recommend leaving automated updates on, it will help keep
you protected from malware/viruses and other security threats on the
web. As well as keep your browser updated to guard against known
crashes/performance problems.
--
~Justin Wood (Callek)
net...@gmail.com
Dec 4, 2012, 2:16:56 PM12/4/12
to
I wrote this code and the previous answers are very good, but I'll provide a bit of extra information:
- The MAR files themselves contain the updated files, information about which update channel you're using, information about the product the MAR file is for, and which version you had before to prevent downgrades.
- When this MAR file is downloaded by Firefox, it is done over HTTPS and a checksum is verified.
- In case that SSL certs on the update server is ever compromised, or in case an attacking process has physical unelevated access to a machine, we also sign the actual MAR files that contain the updates.
- This MAR file is signed at build time and that signature is verified before the updates are applied. This applies both for updates without the maintenance service and updates with the maintenance service.
- For updates with the maintenance service in particular, it also checks the signature on the updater.exe itself that it uses to actually perform the update.
- The MAR files themselves contain the updated files, information about which update channel you're using, information about the product the MAR file is for, and which version you had before to prevent downgrades.
- When this MAR file is downloaded by Firefox, it is done over HTTPS and a checksum is verified.
- In case that SSL certs on the update server is ever compromised, or in case an attacking process has physical unelevated access to a machine, we also sign the actual MAR files that contain the updates.
- This MAR file is signed at build time and that signature is verified before the updates are applied. This applies both for updates without the maintenance service and updates with the maintenance service.
- For updates with the maintenance service in particular, it also checks the signature on the updater.exe itself that it uses to actually perform the update.
0 new messages