Tor and Mozilla Patch Deanonymizing Zero Day

[Exterminator]

Mozilla and the Tor Project have acted quickly to patch a zero day bug virtually identical to one used by the FBI a few years ago to unmask users of the anonymizing browser.

It was discovered after the related exploit was posted to a public Tor Project mailing list.

“The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code,” explained Mozilla security lead, Daniel Veditz. “It used this capability to collect the IP and MAC address of the targeted system and report them back to a central server.”

The bug affects Windows, Mac and Linux machines, although the payload of the exploit only works on Windows, he added.

The Tor Project urged all users to apply the new update (6.0.7) immediately and restart their machines. An alternative is to set the security slider to “high” on the browser, it added.

The exploit in question is said to work in almost exactly the same way as the “network investigative technique” the FBI was revealed to be using back in 2013 to deanonymize Tor users.

It has led to speculation that this new find was also developed by the Feds.

“As of now, we do not know whether this is the case,” said Veditz.

“If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader web.”

Malwarebytes lead malware intelligence analyst, Jerome Segura, added that the case has again highlighted the fact that browsers and their plug-ins are the best attack vector for the delivery of malware via drive-by-attacks.