Firefox Javascript zero-day under active exploit

A Javascript zero-day vulnerability affecting the Mozilla Firefox web browser is currently being actively exploited against The Onion Router (TOR) anonymising network users by unknown attackers.

Firefox is the underlying browser for the TOR Project's anonymising TorBrowser.

Although analysis of the exploit is still underway, a disassembly of the code shows it to be similar to a 2013 Javascript zero-day.

The 2013 exploit caused memory corruption and executed attack code that would find a TOR user's real IP address and network adapter MAC identifier, and relay it back to a server.

It was the work of the United States Federal Bureau of Investigation, which was targeting TOR users who accessed child pornography.

It is not known who is behind the current Javascript exploit, which attempts to send information to a server in France.

The new exploit was first made public on the Tor-Talk mailing list by an admin from the SIGAINT privacy-oriented public email service.

Computer scientist and TOR Project co-founder Roger Dingledine said the vulnerability had been confirmed by Mozilla security engineeer Daniel Veditz, and the firm was working on a fix.

The flaw is believed to affect multiple Windows versions of Firefox as far back as version 41, and up to version 50 of the open source web browser.

Update: The TOR Project has updated its TorBrowser with a fix for the vulnerability. Users are advised to update to version 6.0.7 of TorBrowser as the vulnerability is actively exploited on Windows, TOR Project developer Georg Koppen said.

He advised Apple macOS / OS X and Linux users to also upgrade their browsers, as the bug affects the anonymising software running on those operating systems as well. But Koppen said there was no current indication that the bug has been exploited on Apple macOS / OS X or Linux.

Koppen said TorBrowser users who set their security slider to “high” are thought to be safe from the Javascript vulnerability.

The patch also updated the NoScript Javascript/Java/Adobe Flash blocker for Firefox to version 2.9.5.2.

The fix for the vulnerability will be rolled out to Firefox users automatically over the next 24 hours, a Mozilla spokesperson told iTnews. 

Firefox users who wish to update their browsers immediately can download the fixed version.