ThreatPost reports that Mozilla Patches Firefox Zero day Used to Unmask Tor Browser Users:
As expected, Mozilla released a new version of Firefox on Wednesday to address a zero-day vulnerability that was actively being exploited to de-anonymize Tor Browser users.
The vulnerability, disclosed on a public Tor Project mailing list late Tuesday night, forced the Tor Project to also issue an emergency update (6.0.7) in its Tor Browser – which is partially built on open source Firefox code – on Wednesday.
According to Daniel Veditz, who leads Mozilla's security team, Firefox users should have their browsers automatically updated at some point over the next 24 hours. If they'd rather not wait, users can download the updated versions – Firefox 50.0.2, Firefox ESR 45.5.1, and Thunderbird 45.5.1. – manually.
[...] "The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code. It used this capability to collect the IP and MAC address of the targeted system and report them back to a central server. While the payload of the exploit would only work on Windows, the vulnerability exists on Mac OS and Linux as well," Veditz wrote.
Please be aware that the bug also affected the Thunderbird e-mail client.
Other reports can be found at Ars Technica and Security Focus .
The CVE (Common Vulnerabilities and Exposures) report is available at: CVE-2016-9079
Related Stories
Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln
"Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.
Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor."
http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
https://web.archive.org/web/20161130072235/http://www.theregister.co.uk/2016/11/30/possible_tor_browser_decloak_zero_day_dropped_patch_in_works/
Firefox 0day in the wild is being used to attack Tor users
The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in Web pages served by a service known as Freedom Hosting.
http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
https://web.archive.org/web/20161130031656/http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
[tor-talk] Javascript exploit
"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP."
https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
https://web.archive.org/web/20161130003501/https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
[Editor's Note: The reporting only mentions Windows PCs, but it might not be limited to this OS.]
(Score: 0) by Anonymous Coward on Friday December 02 2016, @02:17PM
If the Security Focus page can be believed, the vulnerability goes back all the way to Firefox 0.1.
(Score: 0) by Anonymous Coward on Friday December 02 2016, @04:13PM
I would really like a list of the websites that are known to have exploited this vulnerability. Is Google one of them?
The list may be hard to compile, but anything is better than nothing. So if someone visited such a website, he would know to change his location immediately, destroy (or permanently off-line) the computer, and do general damage-control.
(Score: 3, Insightful) by dlb on Friday December 02 2016, @04:29PM
(Score: 2) by Bot on Friday December 02 2016, @11:46PM
Who would be interested in knowing who a tor user is, other than police forces? maybe mafia or secret service looking for people to blackmail? isn't it easier to hack normal people in the latter case? tor users might be a bit paranoid and use a VM or a dedicated pc with no personal info. While if you are the police, in the former case, get the IP and timestamp and bingo.
Account abandoned.
(Score: 1, Interesting) by Anonymous Coward on Saturday December 03 2016, @04:22AM
FTFA: "Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well."
ie. it's not being exploited *widely* but it sure as hell is being exploited now, the cat's out of this bag.