Update Your Firefox and/or Tor Browser NOW


An active zero-day exploit has been discovered affecting both the Firefox and Tor browsers – the latter because it is based on the former (specifically, on the Firefox ESR browser).

firefox-tor-zero-day-flaw-featureAt this point it’s not known who first started wielding the exploit, however, it is very similar to an earlier exploit employed by the FBI in 2013 to target users of hidden services.

The use-after-free, remote code execution flaw is being exploited to reveal information about the machine, and consequently, the identity of its user. According to GData Security researchers… “The exploit has an all around professional touch and uses state of the art exploitation techniques. There is no persistent threat, everything is done in memory, therefore even the newly introduced Sandbox in Firefox is nothing that can stop this particular attack.”

The good news is that both Mozilla and the Tor Project have reacted quickly and released security updates to fix the zero-day flaw. If you haven’t done so already, Firefox users should upgrade to version 50.0.2, Firefox ESR users to version 45.5.1, Thunderbird users to version 45.5.1, and TOR users to version 6.0.7, as soon as possible.

According to Tor Browser developer Georg Koppen… “The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well”.

This vulnerability can also be mitigated by disabling JavaScript in both browsers.


References:

Posted in:
About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele… as well as writing for DCT, of course.

There are no comments

Your email address will not be published. Required fields are marked *