Firefox Zero-day exploit puts Tor users at risk

MozillaA publicly released exploit (zero-day exploit) works against many Firefox browser versions – and put Tor users (and possibly other Firefox users) at risk. Officials at Tor has confirmed the vulnerability, no Firefox patch is available yet.


The first mention of the exploit was made within this Tor forum post fom November, 29, 2016.

This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP.

The posting indicates, that a JavaScript exploit is used in the wild that works on Windows systems. Tor founder Roger Dingledine confirms the vulnerability. @TheWack0lian points out within a tweet, that this vulnerability already has been used in 2013 from FBI (see this Arstechnica post).

Analysis from security researcher points out, that the vulnerability allows remote code execution within Firefox (versions 41 till 50) under Windows. Because there is no fix available yet, it's wise to switch off JavaScript in Firefox browser. Further details may be found within this ArsTechnica article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *