An audit commissioned by Mozilla for the Firefox update system revealed no critical vulnerabilities and the flaws rated “high severity” were not easy to exploit.
Experts at Germany-based X41 spent 27 days analyzing the Firefox Application Update Service (AUS), including its update signing protocol, client code, backend and other components. The audit involved a cryptographic review, fuzzing, pentesting, and manual code analysis.
X41’s audit revealed 14 vulnerabilities, including three issues that based on their CVSS score, would be rated as “high severity,” seven “medium” and four “low” flaws. In addition, experts discovered 21 issues that have been described by Mozilla as “side findings,” which are informational.