Tor Browser zero-day strikes again

A newly found vulnerability in the Firefox web browser was found to be leveraged in the wild. It is not the first time this has happened, as some of you may recall back in 2013, the FBI used a nearly identical one to expose some users running the Tor Browser.

The Tor Browser (based on Mozilla Firefox ESR) is used worldwide by all people who want greater anonymity online which includes political activists or dissidents wanting to bypass limitations or surveillance put in place by oppressive regimes. Via this exploit, an attacker can collect the victim’s IP and MAC addresses, as well as their hostname which it sends to a remote server ( This server is now down, but we were able to reproduce the exploit and observe the TCP packets where the data would be sent.


It’s worth noting that not all exploits are meant to infect the target machine. In this case, for example, the goal is to leak user data with as minimal of a footprint as possible. There’s no malicious code downloaded to disk, only shell code is ran directly from memory.


This zero-day can be thwarted by adjusting the security slider to ‘High’ within Tor Browser’s Privacy and Security Settings, but that is not the default option. Alternatively, people running Malwarebytes Anti-Exploit were already protected against this 0day.

This latest attack continues to increase the concern over the Tor Brower’s efficacy against exploits and how other browsers such as Google Chrome or Edge work to handle memory corruption and sandboxing. One thing is for sure, browsers and their plugins remain the best attack vector to deliver malware or leak data via drive-by attacks.

Both Mozilla and Tor have released a patch to address this zero-day.


November 5, 2012 – In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes…

January 2, 2013 – The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to…

January 14, 2013 – Update (1/14/2013) Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser. This is still the most exploited piece of software and whether it is patched or not still unnecessarily puts you…

March 14, 2013 – Ransomware is still going strong and infecting countless PCs. We happened to stumble upon an interesting sample part of the Urausy family which bypassed detection on all major antivirus products for almost an entire day before slowly being detected. In this post we will give some information on its background (where it came from) and…

April 5, 2013 – Exploit Kit authors must really love Java . Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk…

Source: Malwarebytes Labs @ November 30, 2016 at 03:15PM