Mozilla has released a patch for a critical remote code execution vulnerability in Firefox that is being used in active attacks to unmask users of the Tor Browser, which is based on Firefox.
Veditz said Mozilla first got word of the vulnerability on Tuesday morning, a few hours before details of the bug and exploit code was posted on the Tor mailing list. Mozilla released the patch about a day later, and Tor also has released an update for the Tor Browser to address the issue.
“The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect,” the Tor Project said in the release notes for the new version of the browser.
Several security researchers have said that the exploit seen in the wild for this vulnerability is nearly identical to one known to have been used by the FBI in an investigation of a child exploitation site. Mozilla’s Veditz said there’s no direct confirmation that the exploits are the same.
“As of now, we do not know whether this is the case. If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web,” he said.
Image: Akamdar, CC By 2.0 license.