iTnews

Firefox Javascript zero-day under active exploit

By Juha Saarinen on Nov 30, 2016 3:00PM
Firefox Javascript zero-day under active exploit

Updated: Similar to FBI's 2013 0day.

A Javascript zero-day vulnerability affecting the Mozilla Firefox web browser is currently being actively exploited against The Onion Router (TOR) anonymising network users by unknown attackers.

Firefox is the underlying browser for the TOR Project's anonymising TorBrowser.

Although analysis of the exploit is still underway, a disassembly of the code shows it to be similar to a 2013 Javascript zero-day.

The 2013 exploit caused memory corruption and executed attack code that would find a TOR user's real IP address and network adapter MAC identifier, and relay it back to a server.

It was the work of the United States Federal Bureau of Investigation, which was targeting TOR users who accessed child pornography.

It is not known who is behind the current Javascript exploit, which attempts to send information to a server in France.

The new exploit was first made public on the Tor-Talk mailing list by an admin from the SIGAINT privacy-oriented public email service.

Computer scientist and TOR Project co-founder Roger Dingledine said the vulnerability had been confirmed by Mozilla security engineeer Daniel Veditz, and the firm was working on a fix.

The flaw is believed to affect multiple Windows versions of Firefox as far back as version 41, and up to version 50 of the open source web browser.

Update: The TOR Project has updated its TorBrowser with a fix for the vulnerability. Users are advised to update to version 6.0.7 of TorBrowser as the vulnerability is actively exploited on Windows, TOR Project developer Georg Koppen said.

He advised Apple macOS / OS X and Linux users to also upgrade their browsers, as the bug affects the anonymising software running on those operating systems as well. But Koppen said there was no current indication that the bug has been exploited on Apple macOS / OS X or Linux.

Koppen said TorBrowser users who set their security slider to “high” are thought to be safe from the Javascript vulnerability.

The patch also updated the NoScript Javascript/Java/Adobe Flash blocker for Firefox to version 2.9.5.2.

The fix for the vulnerability will be rolled out to Firefox users automatically over the next 24 hours, a Mozilla spokesperson told iTnews. 

Firefox users who wish to update their browsers immediately can download the fixed version.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
firefoxjavascriptsecuritytor projecttorbrowser

Partner Content

Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
Alienated from your own data? You’re not alone
Promoted Content Alienated from your own data? You’re not alone

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • 11th Annual Fraud Prevention Summit 2022
  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Nov 30 2016
3:00PM
0 Comments

Related Articles

  • Firefox zero-days discovered
  • Most programming languages vulnerable to Trojan Source attack
  • WA gov creates cyber security uplift team
  • Student hacker behind ctx and phpass repo-jacking steps forward
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear
NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless
NBN Co to cut 160 applications under $200m IT simplification

NBN Co to cut 160 applications under $200m IT simplification
What to expect from the incoming Labor government

What to expect from the incoming Labor government

Digital Nation

CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan
COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.