Mozilla patches Firefox zero-day vulnerability to steal information about Tor Browser users
A Firefox zero-day vulnerability is being used in the wild to unmask Tor Browser users. This is nearly identical to what the FBI used in 2013 to deanonymize Tor users during an investigation of a child pornography site. The critical vulnerability is believed to have affected multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50. However, Mozilla has patched this zero-day with the release of Firefox 50.0.2 and 45.5.1 ESR. The Tor Project has released Tor Browser 6.0.7 to fix the issue on its side.
The zero-day vulnerability became known when an anonymous Tor browser user notified the Tor mailing list of the newly discovered exploit, and posted the exploit code on a Tor Project mailing list from a Sigaint.org email address.
“This is a Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it’s getting access to “VirtualAlloc” in “kernel32.dll” and goes from there. Please fix ASAP. I had to break the “thecode” line in two in order to post, remove ‘ + ‘ in the middle to restore it,” the anonymous user wrote.
The news was quickly confirmed by Roger Dingledine, co-founder of the Tor Project Team, who said that the Mozilla Firefox team had been notified, and they had “found the bug” and were “working on a patch.” The zero-day is a memory corruption vulnerability that could be exploited to execute malicious code on Windows Machines.
While the attacks were basically used to target Tor users, the publication of the exploit code allows anyone to use it, potentially putting all Firefox users at risk from new attacks. The Tor Browser is based on a version of Firefox and the two often share common vulnerabilities.
Even though a patch has been released, it is still recommended that Firefox users temporarily switch to an alternate browser such as Chrome or Safari whenever possible, or temporarily disable JavaScript on Firefox for as many sites as possible. However, it should be noted that the Tor Project advises against disabling JavaScript.
While the exploit currently appears to only target Firefox on Windows, Dan Guido – CEO of Security firm Trail of Bits – noted on Twitter that macOS users of Firefox are also vulnerable.
