"Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.
Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor."
http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
https://web.archive.org/web/20161130072235/http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in Web pages served by a service known as Freedom Hosting.
http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
https://web.archive.org/web/20161130031656/http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP."
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://web.archive.org/web/20161130003501/https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
[Editor's Note: The reporting only mentions Windows PCs, but it might not be limited to this OS.]
(Score: 0) by Anonymous Coward on Wednesday November 30 2016, @01:09PM
Well, from the quoted description:
I'm pretty sure Linux doesn't usually come with kernel32.dll or VirtualAlloc.
(Score: 2) by janrinok on Wednesday November 30 2016, @01:49PM
That is true however, there is still some debate as to whether that is the only vector that it can use. There is not yet enough analysis being made public for those using other OS to be feeling smug.
(Score: 2) by jmorris on Wednesday November 30 2016, @04:44PM
Yup. Obviously Firefox is allowing outside content to trigger execution to jump somewhere it shouldn't. On Windows they are using that first exploit to get into the win32 APIs, since that is the way to get to the goodies on a Windows PC. But if that first Firefox bug is also exploitable on Linux they will quickly be injecting an exploit that will call into glibc if the browser detection shows Linux.
(Score: 0) by Anonymous Coward on Wednesday November 30 2016, @05:18PM
There is not yet enough analysis being made public for those using other OS to be feeling smug.
I'm an Apple user, smug is my natural state you insensitive clod!
(Score: 0) by Anonymous Coward on Thursday December 01 2016, @09:26AM
I don't want to feel smug, I want to feel safe. Well, in this case NoScript already means that I'm mostly safe, but then, there's a slight chance that such code gets served by one of the few whitelisted sites, so the extra security from not using the targeted operating system is nice.
Given that this uses x86 code, I guess I'd be completely secure from it if I browsed from a Raspberry Pi. It only that weren't so damn slow …
(Score: 0) by Anonymous Coward on Thursday December 01 2016, @11:23AM
It's implemented in Wine: https://source.winehq.org/WineAPI/VirtualAlloc.html [winehq.org]