[Patched]: Mozilla Rushes to Patch Firefox 0-Day Attacking Tor Users in the Wild


Attackers are exploiting a zero-day vulnerability in Firefox browser, targeting computers of people using Tor, and possibly other Firefox users too. Mozilla and Tor developers are expected to release emergency updates to address this security flaw.

The Tor Browser, which is based on Firefox, is expected to be updated as soon as Mozilla releases the fix. Tor Project co-founder and president Roger Dingledine said Mozilla is aware of the issue and is working on a patch.

Mozilla races to patch flaw that attacks Tor browser users

A JavaScript flaw that leverages a zero-day vulnerability in Firefox is being used to execute malicious code on computers of Tor users, Tor confirmed Tuesday. Security researchers have said the flaw exploits a memory corruption vulnerability that allows malicious code to be executed on computers running Windows operating system. The vulnerability reportedly also affects macOS, but the exploit seen in the wild so far is only designed to target Windows systems.

According to an independent researcher, the malicious payload is identical to one that the FBI used in 2013 to deanonymize visitors of a Tor-protected child pornography site. This was not the only time the FBI used a Firefox zero-day exploit to deanonymize targets. Earlier in the year, Mozilla asked a court to require the government to disclose the flaws that the agency used in 2015 to unmask users in the notorious Playpen case.

Security firm Trail of Bits who analyzed the exploit suggested that the attack leverages a use-after-free vulnerability affecting the SVG parser in Firefox. Firm CEO Dan Guido tweeted that these flaws were discovered years ago in WebKit, and Firefox still hasn't addressed them. The flaw is not easily exploited on Google Chrome thanks to memory partitioning, however, Firefox doesn't offer this mitigation.

Mozilla has said the officials are working on a fix and will rush to patch the vulnerability. While the flaw was already being exploited in the wild, Tor published the details as part of warning that users are under attack now. The publication of the complete source code now puts it in the hands of even more people, rushing the mitigation efforts.

Until the patch becomes available, users are advised to use an alternate browser, or at least disable JavaScript. It should be noted, however, that the Tor Project advises against disabling JavaScript.

[Update]: Mozilla releases emergency patch

In an email to Wccftech, Mozilla confirmed patching the vulnerability. Tor is expected to soon update its browser, while users can also manually download the new version.

Mozilla released an update to Firefox containing a fix for a vulnerability reported as being actively used to deanonymize Tor Browser users. Existing copies of Firefox should update automatically over the next 24 hours; users may also download the updated version manually.