SoylentNews

martyb writes the following in response to our story 48 hours ago:

ThreatPost reports that Mozilla Patches Firefox Zero day Used to Unmask Tor Browser Users:

As expected, Mozilla released a new version of Firefox on Wednesday to address a zero-day vulnerability that was actively being exploited to de-anonymize Tor Browser users.

The vulnerability, disclosed on a public Tor Project mailing list late Tuesday night, forced the Tor Project to also issue an emergency update (6.0.7) in its Tor Browser – which is partially built on open source Firefox code – on Wednesday.

According to Daniel Veditz, who leads Mozilla's security team, Firefox users should have their browsers automatically updated at some point over the next 24 hours. If they'd rather not wait, users can download the updated versions – Firefox 50.0.2, Firefox ESR 45.5.1, and Thunderbird 45.5.1. – manually.

[...] "The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code. It used this capability to collect the IP and MAC address of the targeted system and report them back to a central server. While the payload of the exploit would only work on Windows, the vulnerability exists on Mac OS and Linux as well," Veditz wrote.

Please be aware that the bug also affected the Thunderbird e-mail client.

Other reports can be found at Ars Technica and Security Focus .

The CVE (Common Vulnerabilities and Exposures) report is available at: CVE-2016-9079

Original Submission