ThreatPost reports that Mozilla Patches Firefox Zero day Used to Unmask Tor Browser Users:
As expected, Mozilla released a new version of Firefox on Wednesday to address a zero-day vulnerability that was actively being exploited to de-anonymize Tor Browser users.
The vulnerability, disclosed on a public Tor Project mailing list late Tuesday night, forced the Tor Project to also issue an emergency update (6.0.7) in its Tor Browser – which is partially built on open source Firefox code – on Wednesday.
According to Daniel Veditz, who leads Mozilla's security team, Firefox users should have their browsers automatically updated at some point over the next 24 hours. If they'd rather not wait, users can download the updated versions – Firefox 50.0.2, Firefox ESR 45.5.1, and Thunderbird 45.5.1. – manually.
[...] "The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code. It used this capability to collect the IP and MAC address of the targeted system and report them back to a central server. While the payload of the exploit would only work on Windows, the vulnerability exists on Mac OS and Linux as well," Veditz wrote.
Please be aware that the bug also affected the Thunderbird e-mail client.
Other reports can be found at Ars Technica and Security Focus .
The CVE (Common Vulnerabilities and Exposures) report is available at: CVE-2016-9079
(Score: 1, Interesting) by Anonymous Coward on Saturday December 03 2016, @04:22AM
FTFA: "Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well."
ie. it's not being exploited *widely* but it sure as hell is being exploited now, the cat's out of this bag.