{"id":2389,"date":"2018-10-09T01:00:40","date_gmt":"2018-10-09T08:00:40","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2389"},"modified":"2018-10-09T06:45:15","modified_gmt":"2018-10-09T13:45:15","slug":"trusting-the-delivery-of-firefox-updates","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/","title":{"rendered":"Trusting the delivery of Firefox Updates"},"content":{"rendered":"<p>Providing a web browser that you can depend on year after year is one of the core tenet of the Firefox security strategy. We put a lot of time and energy into making sure that the software you run has not been tampered with while being delivered to you.<\/p>\n<p>In an effort to increase trust in Firefox, we regularly partner with external firms to verify the security of our products. Earlier this year, we hired <a href=\"https:\/\/www.x41-dsec.de\/\">X41 D-SEC Gmbh<\/a> to audit the mechanism by which Firefox ships updates, known internally as AUS for Application Update Service. Today, we are releasing their report.<\/p>\n<p>Four researchers spent a total of 27 days running a technical security review of both the backend service that manages updates (Balrog) and the client code that updates your browser. The scope of the audit included a cryptographic review of the update signing protocol, fuzzing of the client code, pentesting of the backend and manual code review of all components.<\/p>\n<p>Mozilla Security continuously reviews and tests the security of Firefox, but external verification is a critical part of our <a href=\"https:\/\/wiki.mozilla.org\/Security\/FirefoxOperations\">operations security strategy<\/a>. We are glad to say that X41 did not find any critical flaw in AUS, but they did find various issues ranking from low to high, as well as 21 side findings.<\/p>\n<blockquote><p>X41 D-Sec GmbH found the security level of AUS to be good. No critical vulnerabilities have been identified in any of the components. The most serious vulnerabilities that were discovered are a Cross-Site Request Forgery (CSRF) vulnerability in the administration web application interface that might allow attackers to trigger unintended administrative actions under certain conditions. Other vulnerabilities identified were memory corruption issues, insecure handling of untrusted data, and stability issues (Denial of Service (DoS)). Most of these issues were constrained by requiring to bypass cryptographic signatures.<\/p><\/blockquote>\n<p>Three vulnerabilities ranked as high, and all of them were located in the administration console of <a href=\"https:\/\/github.com\/mozilla\/balrog\/\">Balrog<\/a>, the backend service of Firefox AUS, which is protected behind multiple factors of authentication inside our internal network. The extra layers of security effectively lower the risk of the vulnerabilities found by X41, but we fixed the issues they found regardless.<\/p>\n<p>X41 found a handful of bugs in the C code that handles update files. Thankfully, the cryptographic signatures prevent a bad actor from crafting an update file that could impact Firefox. Here again, designing our systems with multiple layers of security has proven useful.<\/p>\n<p>Today, we are making <a href=\"https:\/\/drive.google.com\/file\/d\/1v53GCYPxzoZmB1dCop1yJfZgS1wi64dS\/view\">the full report accessible to everyone<\/a> in an effort to keep Firefox open and transparent. We are also opening up <a href=\"https:\/\/bugzilla.mozilla.org\/showdependencytree.cgi?id=1468525&amp;hide_resolved=1\">our bug tracker<\/a> so you can follow our progress in mitigating the issues and side findings identified in the report.<\/p>\n<p>Finally, we\u2019d like to thank X41 for their high quality work on conducting this security audit. And, \u00a0as always, we invite you to help us keep Firefox secure by reporting issues through<a href=\"https:\/\/www.mozilla.org\/en-US\/security\/bug-bounty\/\"> our bug bounty program<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Providing a web browser that you can depend on year after year is one of the core tenet of the Firefox security strategy. We put a lot of time and &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/\">Read more<\/a><\/p>\n","protected":false},"author":652,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[45548],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Trusting the delivery of Firefox Updates - Mozilla Security Blog<\/title>\n<meta name=\"description\" content=\"In an effort to increase trust in Firefox, we regularly partner with external firms to verify the security of our products. Earlier this year, we hired X41 D-SEC Gmbh to audit the mechanism by which Firefox ships updates, known internally as AUS for Application Update Service. Today, we are releasing their report.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Julien Vehent\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/\",\"name\":\"Trusting the delivery of Firefox Updates - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2018-10-09T08:00:40+00:00\",\"dateModified\":\"2018-10-09T13:45:15+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/859cacdfdbcc8ac96f58f1adc940e8dc\"},\"description\":\"In an effort to increase trust in Firefox, we regularly partner with external firms to verify the security of our products. Earlier this year, we hired X41 D-SEC Gmbh to audit the mechanism by which Firefox ships updates, known internally as AUS for Application Update Service. Today, we are releasing their report.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trusting the delivery of Firefox Updates\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/859cacdfdbcc8ac96f58f1adc940e8dc\",\"name\":\"Julien Vehent\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/b873504437975149cff1eb424ae01d15\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b9b9662b5c966927b5cbff7f42bf323e?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b9b9662b5c966927b5cbff7f42bf323e?s=96&d=identicon&r=g\",\"caption\":\"Julien Vehent\"},\"description\":\"Julien runs the Firefox Operations Security team.\",\"sameAs\":[\"https:\/\/mozillians.org\/en-US\/u\/jvehent\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Trusting the delivery of Firefox Updates - Mozilla Security Blog","description":"In an effort to increase trust in Firefox, we regularly partner with external firms to verify the security of our products. Earlier this year, we hired X41 D-SEC Gmbh to audit the mechanism by which Firefox ships updates, known internally as AUS for Application Update Service. Today, we are releasing their report.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/","twitter_misc":{"Written by":"Julien Vehent","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/","name":"Trusting the delivery of Firefox Updates - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2018-10-09T08:00:40+00:00","dateModified":"2018-10-09T13:45:15+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/859cacdfdbcc8ac96f58f1adc940e8dc"},"description":"In an effort to increase trust in Firefox, we regularly partner with external firms to verify the security of our products. Earlier this year, we hired X41 D-SEC Gmbh to audit the mechanism by which Firefox ships updates, known internally as AUS for Application Update Service. Today, we are releasing their report.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/09\/trusting-the-delivery-of-firefox-updates\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Trusting the delivery of Firefox Updates"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/859cacdfdbcc8ac96f58f1adc940e8dc","name":"Julien Vehent","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/b873504437975149cff1eb424ae01d15","url":"https:\/\/secure.gravatar.com\/avatar\/b9b9662b5c966927b5cbff7f42bf323e?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b9b9662b5c966927b5cbff7f42bf323e?s=96&d=identicon&r=g","caption":"Julien Vehent"},"description":"Julien runs the Firefox Operations Security team.","sameAs":["https:\/\/mozillians.org\/en-US\/u\/jvehent\/"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2389"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/652"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2389"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2389\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2389"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}