An active zero-day exploit has been discovered affecting both the Firefox and Tor browsers – the latter because it is based on the former (specifically, on the Firefox ESR browser).
At this point it’s not known who first started wielding the exploit, however, it is very similar to an earlier exploit employed by the FBI in 2013 to target users of hidden services.
The use-after-free, remote code execution flaw is being exploited to reveal information about the machine, and consequently, the identity of its user. According to GData Security researchers… “The exploit has an all around professional touch and uses state of the art exploitation techniques. There is no persistent threat, everything is done in memory, therefore even the newly introduced Sandbox in Firefox is nothing that can stop this particular attack.”
The good news is that both Mozilla and the Tor Project have reacted quickly and released security updates to fix the zero-day flaw. If you haven’t done so already, Firefox users should upgrade to version 50.0.2, Firefox ESR users to version 45.5.1, Thunderbird users to version 45.5.1, and TOR users to version 6.0.7, as soon as possible.
According to Tor Browser developer Georg Koppen… “The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well”.
This vulnerability can also be mitigated by disabling JavaScript in both browsers.
References:
- Firefox and Thunderbird: Mozilla Foundation Security Advisory 2016-92
- Tor Project: Tor Browser 6.0.7 is released
- GData Security Blog: Firefox 0-Day targeting Tor-Users
—