Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday November 30 2016, @10:32AM   Printer-friendly
from the check-your-security dept.

Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln

"Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.

Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor."

http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
https://web.archive.org/web/20161130072235/http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/

Firefox 0day in the wild is being used to attack Tor users

The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in Web pages served by a service known as Freedom Hosting.

http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
https://web.archive.org/web/20161130031656/http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/

[tor-talk] Javascript exploit

"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP."

https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://web.archive.org/web/20161130003501/https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

[Editor's Note: The reporting only mentions Windows PCs, but it might not be limited to this OS.]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday November 30 2016, @01:09PM

    by Anonymous Coward on Wednesday November 30 2016, @01:09PM (#434880)

    [Editor's Note: The reporting only mentions Windows PCs, but it might not be limited to this OS.]

    Well, from the quoted description:

    The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there.

    I'm pretty sure Linux doesn't usually come with kernel32.dll or VirtualAlloc.

  • (Score: 2) by janrinok on Wednesday November 30 2016, @01:49PM

    by janrinok (52) Subscriber Badge on Wednesday November 30 2016, @01:49PM (#434897) Journal

    That is true however, there is still some debate as to whether that is the only vector that it can use. There is not yet enough analysis being made public for those using other OS to be feeling smug.

    • (Score: 2) by jmorris on Wednesday November 30 2016, @04:44PM

      by jmorris (4844) on Wednesday November 30 2016, @04:44PM (#434987)

      Yup. Obviously Firefox is allowing outside content to trigger execution to jump somewhere it shouldn't. On Windows they are using that first exploit to get into the win32 APIs, since that is the way to get to the goodies on a Windows PC. But if that first Firefox bug is also exploitable on Linux they will quickly be injecting an exploit that will call into glibc if the browser detection shows Linux.

    • (Score: 0) by Anonymous Coward on Wednesday November 30 2016, @05:18PM

      by Anonymous Coward on Wednesday November 30 2016, @05:18PM (#435007)

      There is not yet enough analysis being made public for those using other OS to be feeling smug.

      I'm an Apple user, smug is my natural state you insensitive clod!

    • (Score: 0) by Anonymous Coward on Thursday December 01 2016, @09:26AM

      by Anonymous Coward on Thursday December 01 2016, @09:26AM (#435353)

      I don't want to feel smug, I want to feel safe. Well, in this case NoScript already means that I'm mostly safe, but then, there's a slight chance that such code gets served by one of the few whitelisted sites, so the extra security from not using the targeted operating system is nice.

      Given that this uses x86 code, I guess I'd be completely secure from it if I browsed from a Raspberry Pi. It only that weren't so damn slow …

  • (Score: 0) by Anonymous Coward on Thursday December 01 2016, @11:23AM

    by Anonymous Coward on Thursday December 01 2016, @11:23AM (#435391)

    It's implemented in Wine: https://source.winehq.org/WineAPI/VirtualAlloc.html [winehq.org]