Mozilla and Tor issue patches for Firefox flaw exposing Tor users

Mozilla and the Tor Project have issued software updates to block attackers using a zero-day Firefox vulnerability to identify users of the Tor anonymous web browsing services.

Download this free guide

Mozilla and the Tor Project have issued software updates to block attackers using a zero-day Firefox vulnerability to identify users of the Tor anonymous web browsing services.

Download this free guide
Don’t become a victim!

Find out what are the most appropriate threat intelligence systems and services for your organisation

Start Download

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

The Tor browser is based on the open-source Firefox browser developed by the Mozilla Foundation.

The latest version of the Firefox browser is 50.0.2, the Tor Browser was updated to 6.0.7, and the Tails OS (operating system), which uses the Tor network, has also been updated to version 2.7.1.

Although the Firefox vulnerability is believed to have been used only against Windows users, it could theoretically be used against Mac OS X and Linux users, according to Neowin.

Mozilla said existing copies of Firefox should update automatically, but that users may also download the updated version manually.

The update was released after Mozilla was provided with code for an exploit using a previously unknown vulnerability in Firefox on 29 November 2016.

The code was also posted in a Tor discussion group, which meant that a highly reliable exploit quickly became available to millions of people.

The exploit takes advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG (scalable vector graphics) code.

It uses this capability to collect the IP address and MAC address of the targeted system and report them back to a central server, Mozilla security lead Daniel Veditz wrote in a blog post.

“The exploit in this case works in essentially the same way as the ‘network investigative technique’ used by FBI to deanonymize Tor users (as the FBI described it in an affidavit).

“This similarity has led to speculation that this exploit was created by the FBI or another law enforcement agency,” he said.

If this was in fact developed and deployed by a government agency, Veditz said the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader web.

Users of the Tor browser are encouraged to update all their browsing software to the latest versions and to restart their Tor browser after updating.

According to the release notes for latest version of Firefox, the underlying vulnerability is identified as CVE-2016-9079 and is rated as critical.

A separate Mozilla security advisory shows the flaw also affects Mozilla’s Thunderbird e-mail application, as well as the Firefox Extended Support release version used by the Tor browser, reports Ars Technica.

A thread on an online forum for discussing Firefox bugs indicated the critical flaw has existed in the browser code base for five years.

News of the exploit has raised concerns that it may have been used to unmask political dissidents or innocent users of the Tor anonymity services.

Leave a Reply

Your email address will not be published. Required fields are marked *