A publicly released exploit (zero-day exploit) works against many Firefox browser versions – and put Tor users (and possibly other Firefox users) at risk. Officials at Tor has confirmed the vulnerability, no Firefox patch is available yet.
Advertising
The first mention of the exploit was made within this Tor forum post fom November, 29, 2016.
This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP.
The posting indicates, that a JavaScript exploit is used in the wild that works on Windows systems. Tor founder Roger Dingledine confirms the vulnerability. @TheWack0lian points out within a tweet, that this vulnerability already has been used in 2013 from FBI (see this Arstechnica post).
The shellcode used is almost exactly the shellcode of the 2013 one https://t.co/6vuIzqp0rj
…except it builds sockaddr_in on the stack. https://t.co/pWsUe4uHiZ
— slipstream/RoL (@TheWack0lian) 29. November 2016
Analysis from security researcher points out, that the vulnerability allows remote code execution within Firefox (versions 41 till 50) under Windows. Because there is no fix available yet, it's wise to switch off JavaScript in Firefox browser. Further details may be found within this ArsTechnica article.
