Tor releases urgent update for Firefox 0day that’s under active attack

Developers with Tor have published a browser update that patches a critical Firefox vulnerability being actively exploited to deanonymize people using the privacy service.

"The security flaw responsible for this urgent release is already actively exploited on Windows systems," a Tor official wrote in an advisory published Wednesday afternoon. "Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."

The Tor browser is based on the open-source Firefox browser developed by the Mozilla Foundation. Mozilla officials said on Tuesday they were in the process of developing a fix that presumably included mainstream versions of Firefox, but at the time this post was being prepared, a patch was not yet available. Mozilla representatives didn’t respond to an e-mail seeking comment for this post.

Attack code exploiting a use-after-free vulnerability in Firefox first circulated Tuesday on a Tor discussion list and was quickly confirmed as a zero-day, the term given to vulnerabilities that are actively exploited in the wild before the developer has a patch in place. The malicious payload delivered is almost identical to one the FBI used in 2013 to identify people who were trading child pornography on a Tor-anonymized website. Because the initial post to the Tor group included the complete source code, the highly reliable exploit is now in the hands of potentially millions of people.

Besides an update for Firefox, Wednesday’s Tor release also includes an update to NoScript, a Firefox extension that ships with the Tor browser. NoScript allows users to select the sites that can and cannot execute JavaScript in the browser. For privacy and usability reasons, the Tor browser has traditionally installed NoScript in a way that allowed all sites to run JavaScript in the browser. It’s not clear what effect the new NoScript update has on that policy.

Tor users should install the fix at once. People using both Tor and mainstream versions of Firefox are believed to be protected from the attack by setting the Firefox security slider to "High," although the setting may prevent many sites from working as expected. For much more about this attack see Ars previous coverage Firefox 0-day in the wild is being used to attack Tor users.

Source: Risk Assessment – Ars Technica @ November 30, 2016 at 02:30PM