Firefox Zero-day exploit puts Tor users at risk

MozillaA publicly released exploit (zero-day exploit) works against many Firefox browser versions – and put Tor users (and possibly other Firefox users) at risk. Officials at Tor has confirmed the vulnerability, no Firefox patch is available yet.


Advertising

The first mention of the exploit was made within this Tor forum post fom November, 29, 2016.

This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP.

The posting indicates, that a JavaScript exploit is used in the wild that works on Windows systems. Tor founder Roger Dingledine confirms the vulnerability. @TheWack0lian points out within a tweet, that this vulnerability already has been used in 2013 from FBI (see this Arstechnica post).

Analysis from security researcher points out, that the vulnerability allows remote code execution within Firefox (versions 41 till 50) under Windows. Because there is no fix available yet, it's wise to switch off JavaScript in Firefox browser. Further details may be found within this ArsTechnica article.


Advertising

This entry was posted in Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).