Mozilla patches Firefox zero-day vulnerability to steal information about Tor Browser users
A Firefox zero-day vulnerability is being used in the wild to unmask Tor Browser users. This is nearly identical to what the FBI used in 2013 to deanonymize Tor users during an investigation of a child pornography site. The critical vulnerability is believed to have affected multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50. However, Mozilla has patched this zero-day with the release of Firefox 50.0.2 and 45.5.1 ESR. The Tor Project has released Tor Browser 6.0.7 to fix the issue on its side.
The zero-day vulnerability became known when an anonymous Tor browser user notified the Tor mailing list of the newly discovered exploit, and posted the exploit code on a Tor Project mailing list from a Sigaint.org email address.
The news was quickly confirmed by Roger Dingledine, co-founder of the Tor Project Team, who said that the Mozilla Firefox team had been notified, and they had “found the bug” and were “working on a patch.” The zero-day is a memory corruption vulnerability that could be exploited to execute malicious code on Windows Machines.
While the attacks were basically used to target Tor users, the publication of the exploit code allows anyone to use it, potentially putting all Firefox users at risk from new attacks. The Tor Browser is based on a version of Firefox and the two often share common vulnerabilities.
While the exploit currently appears to only target Firefox on Windows, Dan Guido – CEO of Security firm Trail of Bits – noted on Twitter that macOS users of Firefox are also vulnerable.