CVE-2022-29910 Firefox for Android would not properly record and persist HSTS settings if it's closed or sent to the background.

On Windows, Linux and Mac computers and in various mobile and remote computing scenarios, a malicious website could bypass the user's HSTS setting and force Firefox to use insecure content.br> On Firefox for Android, the browser would not properly record and persist HSTS settings, potentially leaving users vulnerable to man-in-the-middle attacks while using insecure content on their smartphones or tablets.

Solution: Stay updated with latest software updates

HSTS (HTTP Strict Transport Security) is a security feature that prevents websites from being accessed on insecure connections. The connection might be secure but if the website wants to target a user in an insecure manner, it won't work. This is why HSTS is only effective on secure connections and not insecure ones.
You need to update your software to stay protected. The latest Firefox version includes a fix for this issue. You can also check if your device manufacturer has released any updates that could have fixed the problem.
If you're using Linux, installing the Firefox version of this fix may require executing some commands in terminal or shell and then rebooting your computer or device. If you're using Windows, you can use the easy fix provided by Mozilla's Firefox release notes for Windows: https://www.mozilla.org/en-US/firefox/organizations/faq/current-versions-of-firefox/#updating-to-the-latest-windows-release

How do I find out if I'm affected?

If you are using Firefox on your computer and are not using HSTS, you should take steps now to protect yourself. You can find out if you're affected by clicking the menu button in the top-right corner of your browser window and looking for a small padlock below 'https://' (the green padlock with a key). If it is gray or not visible, you need to enable HSTS.

How to update Firefox

There are a few ways to update Firefox.
You can download the latest version of Firefox from https://www.mozilla.org/en-US/firefox/all/.

What is HTTPS?

I'm going to cover what HTTPS is, how it works, the types of attacks you could experience and how to prevent them.
First things first: what is HTTPS? HTTPS stands for Hypertext Transfer Protocol Secure. This protocol basically encrypts all traffic between your browser and a website so that only the intended website can see it. This means that if you're browsing on Firefox on Windows, Linux or Mac computers as well as in various mobile or remote computing scenarios (e.g., a tablet), a malicious website cannot access your device's data or use insecure content to attack you. In other words, with this protocol, your system will be protected from man-in-the-middle attacks like phishing attempts, spoofing and more.

Vulnerable Codes and Solution

CVE-2022-29910 is the number assigned to this vulnerability.
The most direct way to avoid risk of attack is by using the following browser setting: "Strict-Transport-Security": max-age=31536000 (1y). It would also be wise to use an Extended HSTS policy that includes "HSTS preload" and "HTTP Public Key Pinning".

1. On Windows, Linux, and Mac computers and in various mobile and remote computing scenarios, a malicious website could bypass the user's HSTS setting and force Firefox to use insecure content.
2. On Firefox for Android, the browser would not properly record and persist HSTS settings, potentially leaving users vulnerable to man-in-the-middle attacks while using insecure content on their smartphones or tablets.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 21:01:00 UTC

References