Stories
Slash Boxes
Comments

SoylentNews is people

Firefox Zero-Day Exploit is Being Used to Attack Tor Users

posted by janrinok on Wednesday November 30 2016, @10:32AM   Printer-friendly
from the check-your-security dept.

An Anonymous Coward writes:

Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln

"Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.

Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor."

http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
https://web.archive.org/web/20161130072235/http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/

Firefox 0day in the wild is being used to attack Tor users

The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in Web pages served by a service known as Freedom Hosting.

http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
https://web.archive.org/web/20161130031656/http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/

[tor-talk] Javascript exploit

"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP."

https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://web.archive.org/web/20161130003501/https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

[Editor's Note: The reporting only mentions Windows PCs, but it might not be limited to this OS.]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Firefox Zero-Day Exploit is Being Used to Attack Tor Users | Log In/Create an Account | Top | 24 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by pTamok on Wednesday November 30 2016, @02:53PM

    by pTamok (3042) on Wednesday November 30 2016, @02:53PM (#434914)

    Perhaps use one of the 'well known' 'magic numbers' for the MAC address

    My first thought was 0xDEADBEEF

    and in fact, the Magic Number article ( https://en.wikipedia.org/wiki/Magic_number_(programming) [wikipedia.org] ) states that

    The default MAC address on Texas Instruments SOCs is DE:AD:BE:EF:00:00

    I would be tempted to go for DEADBEEFDEAD or BEEFDEADBEEF ,or even ADBEEFDEADBE or EFDEADBEEFDE; or muck about with endian conversions; although pretending to be a TI SOC and using 0xDEADBEEF0000probably isn't bad for anonymity.

  • (Score: 0) by Anonymous Coward on Thursday December 01 2016, @08:58AM

    by Anonymous Coward on Thursday December 01 2016, @08:58AM (#435347)

    I always liked 0xDEADBEEFCAFE

    • (Score: 0) by Anonymous Coward on Saturday December 03 2016, @04:20AM

      by Anonymous Coward on Saturday December 03 2016, @04:20AM (#436384)

      better than 0xDEADCAFEBABE or 0xFACEBEEFCAFE or 0x4FECA1C0FFEE

      yeah

      that's right

      just TRY not using 0x 4 feca1 coffee, next time you need a 'magic' number. just TRY!