Firefox zero-day: Mozilla, Tor issue critical patches to block active attacks
The payload only works against Windows systems running Firefox and the Tor Browser, although the vulnerability also exists on the Firefox for macOS and Linux.
Mozilla and Tor have released patches for Firefox and the Firefox-based Tor Browser to block a live attack aimed at unmasking users of the Tor anonymity network.
The patch, which Mozilla released on Wednesday, addresses a Firefox animation remote code execution flaw that on Tuesday was discovered to have been actively exploited to de-anonymize Tor Browser users.
The attack relied on Firefox or the Firefox-based Tor Browser to load a webpage that contained malicious JavaScript and scalable vector graphics (SVG) code. The exploit was designed to scoop up the real IP and MAC address of Windows systems and send it to a central server, Mozilla's security lead, Daniel Veditz said.
The payload only works against Windows systems running Firefox and the Tor Browser, although Veditz noted the vulnerability exists on the Firefox for macOS and Linux, so he urged users of these platforms to update their browser too.
The issue, which Mozilla rates as critical for Firefox, is fixed in Firefox version 50.0.2, and Firefox Extended Support Release version 45.5.1, according to Mozilla's release notes. The bug also affected Mozilla's Thunderbird email client and is fixed in version 45.5.1.
The Tor Project offered the same advice in a post urging users to update to Tor Browser 6.0.7, which also contains an update to the NoScript JavaScript blocker.
"The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."
Veditz said Mozilla was provided the exploit code early on Tuesday, a few hours before it was published on Pastebin, where it had about 900 views. Half an hour after it appeared on Pastebin, it was posted by someone in a message on the Tor Project Mailing list.
As security researchers noted yesterday, the exploit code for this attack was nearly identical to an exploit known to have been used by the FBI in 2013 to unmask the IP addresses of Tor users who had been visiting a hidden service hosting child-abuse material.
The exploit touches on Mozilla's recent request to be told if law enforcement use a zero-day flaw in Firefox during an investigation, so that it may patch the issue and protect Firefox users.
Veditz said Mozilla didn't know whether the FBI or any other government agency had created this exploit.
However, he highlighted that it was essentially the same method that the FBI recently described in court filings detailing a "network investigative technique" it had used to de-anonymize Tor users during a 2015 investigation into a hidden pedophile website called Playpen. The investigation aimed to reveal visitors' true IP address, identity, and location.
Against the FBI's wishes, the judge presiding over a case against one Playpen defendant ordered the agency reveal to the defendant's legal team exactly how it hacked his computer. As Motherboard reported this week, a judge in a related case revealed in a court filing in November that the FBI had used a "non-publicly-known vulnerability".
Given that the Tor Browser shares some Firefox code, it is suspected that this non-publicly-known vulnerability is in fact a zero-day flaw affecting Firefox.
In May, Mozilla filed a 'friend of the court' brief in the Playpen defendant's case, requesting that the FBI tell Mozilla before anyone else if its code is implicated in a security vulnerability. This disclosure would give it an opportunity to fix a bug if it is shared beyond FBI's initial investigation purposes.
This latest exploit, if it was developed by the government, illustrates the problem with law enforcement using zero-day exploits, noted Veditz.
"If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader web," he said.