[Patched]: Mozilla Rushes to Patch Firefox 0-Day Attacking Tor Users in the Wild
Attackers are exploiting a zero-day vulnerability in Firefox browser, targeting computers of people using Tor, and possibly other Firefox users too. Mozilla and Tor developers are expected to release emergency updates to address this security flaw.
The Tor Browser, which is based on Firefox, is expected to be updated as soon as Mozilla releases the fix. Tor Project co-founder and president Roger Dingledine said Mozilla is aware of the issue and is working on a patch.
Mozilla races to patch flaw that attacks Tor browser users
According to an independent researcher, the malicious payload is identical to one that the FBI used in 2013 to deanonymize visitors of a Tor-protected child pornography site. This was not the only time the FBI used a Firefox zero-day exploit to deanonymize targets. Earlier in the year, Mozilla asked a court to require the government to disclose the flaws that the agency used in 2015 to unmask users in the notorious Playpen case.
Security firm Trail of Bits who analyzed the exploit suggested that the attack leverages a use-after-free vulnerability affecting the SVG parser in Firefox. Firm CEO Dan Guido tweeted that these flaws were discovered years ago in WebKit, and Firefox still hasn’t addressed them. The flaw is not easily exploited on Google Chrome thanks to memory partitioning, however, Firefox doesn’t offer this mitigation.
MWR published research in this area years ago in WebKit, and it appears that Firefox is lagging a few years behind. https://t.co/XGybXewB4D
— Dan Guido (@dguido) November 30, 2016
Mozilla has said the officials are working on a fix and will rush to patch the vulnerability. While the flaw was already being exploited in the wild, Tor published the details as part of warning that users are under attack now. The publication of the complete source code now puts it in the hands of even more people, rushing the mitigation efforts.
[Update]: Mozilla releases emergency patch
In an email to Wccftech, Mozilla confirmed patching the vulnerability. Tor is expected to soon update its browser, while users can also manually download the new version.
Mozilla released an update to Firefox containing a fix for a vulnerability reported as being actively used to deanonymize Tor Browser users. Existing copies of Firefox should update automatically over the next 24 hours; users may also download the updated version manually.