Mozilla officials say they'll release a Firefox update on Tuesday that fixes the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser.
The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory. From there, the attacker could deliver a malicious update for NoScript or many other Firefox extensions installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA)...
Until Mozilla releases the update, Firefox users who are concerned they might be targeted by nation-sponsored adversaries should consider using a different browser or, alternately, configuring Firefox to stop automatically accepting extension updates.
Continue reading: http://arstechnica.com/security/2016/09/mozilla-checks-if-firefox-is-affected-by-same-malware-vulnerability-as-tor/