Tor, Firefox Users Hit by Zero Day

Friday, December 2, 2016 @ 03:12 PM gHale

Mozilla and Tor developers released browser updates that patch a critical Firefox vulnerability allowing attackers to eliminate anonymity for those using the privacy service.

“The security flaw responsible for this urgent release is already actively exploited on Windows systems,” a Tor official said in an advisory. “Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately.”

RELATED STORIES
Securing Against Disguised Data
IoT Attack Scare: Is Industry Ready?
Network Visibility with New Platform
ICSJWG: Security in Perspective

As it turns out, the Tor browser uses the open-source Firefox browser developed by the Mozilla Foundation. Shortly after this post went live, Mozilla security official Daniel Veditz published a blog post saying the vulnerability also ended up fixed in a just-released version of Firefox for mainstream users. On Wednesday Veditz’s team received a copy of the attack code that exploited a previously unknown vulnerability in Firefox.

The attack executed code when targets loaded malicious JavaScript and code based on scalable animation vector graphics. The exploit used the capability to send the target’s IP and MAC address to an attacker-controlled server. The code in general resembles the types of network investigative techniques used by law-enforcement agencies, and specifically one the FBI used in 2013 to identify Tor-protected users who were trading child pornography.

“This similarity has led to speculation that this exploit was created by FBI or another law enforcement agency,” Veditz wrote. “As of now, we do not know whether this is the case. If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web.”

The underlying vulnerability’s case number is CVE-2016-9079 and rates as critical. A separate Mozilla security advisory shows it also affects Mozilla’s Thunderbird e-mail application, as well as the Firefox Extended Support release version used by the Tor browser. A thread on an online forum for discussing Firefox bugs indicated the critical flaw has existed in the browser code base for five years.

Besides an update for Firefox, Wednesday’s Tor release also includes an update to NoScript, a Firefox extension that ships with the Tor browser. NoScript allows users to select the sites that can and cannot execute JavaScript in the browser. For privacy and usability reasons, the Tor browser has traditionally installed NoScript in a way that allowed all sites to run JavaScript in the browser. It’s not clear what effect the new NoScript update has on that policy.



Leave a Reply

You must be logged in to post a comment.