Zen Browser Unsigned Update Vulnerability in MAR Updater Allowing Arbitrary Code Execution

A vulnerability exists in Zen Browser versions prior to 1.19.9b, where the Mozilla Application Resource (MAR) updater lacks proper signature verification. This flaw allows unsigned updates to be delivered to users, potentially leading to the execution of arbitrary code. The issue arises because the MAR files provided to users contain no cryptographic signatures, and the updater itself does not include any verification code. As a result, if the update server or GitHub release pipeline is compromised, malicious unsigned code can be distributed to all Zen users via the auto-update mechanism.

Impact

Exploitation of this vulnerability could result in the execution of arbitrary code on the user's machine, facilitated by the browser's update mechanism.

Reproduction

The vulnerability can be reproduced by downloading the unsigned MAR file from the Zen Browser GitHub release page and replacing a signed MAR file in a Firefox-based browser with it. When the updater is run, it will apply the unsigned update without any signature verification, allowing for the execution of arbitrary code.

Remediation

Users can update to Zen Browser version 1.19.9b or later, where this vulnerability has been fixed. Instructions for updating can be found on the Zen Browser GitHub page.