SoylentNews is people
SoylentNews
Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln
"Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.
Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor."
http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
https://web.archive.org/web/20161130072235/http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
Firefox 0day in the wild is being used to attack Tor users
The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in Web pages served by a service known as Freedom Hosting.
http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
https://web.archive.org/web/20161130031656/http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
[tor-talk] Javascript exploit
"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP."
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://web.archive.org/web/20161130003501/https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
[Editor's Note: The reporting only mentions Windows PCs, but it might not be limited to this OS.]
(Score: 1, Interesting) by Anonymous Coward on Wednesday November 30 2016, @12:50PM
Today I learned SVG can contain javascript.
And I facepalmed, hard.
(Score: 3, Interesting) by jcross on Wednesday November 30 2016, @03:14PM
Well if people really want to follow through with killing Flash while still leaving a credible replacement, it kind of has to. CSS3 animations are cool but will only get you so far, and the potential for interactivity is very limited. I'm not saying we absolutely *need* interactive vector graphics, but if we want it, then SVG with javascript is the only practical, performant, standards-based solution I can think of.
(Score: 0) by Anonymous Coward on Wednesday November 30 2016, @09:45PM
> Today I learned SVG can contain javascript.
But does it?
Because from reading the info on the other ends of the link it seem more like the inverse - that javascript can modify SVG, much like it can modify the DOM.