Mozilla has released a patch for a critical remote code execution vulnerability in Firefox that is being used in active attacks to unmask users of the Tor Browser, which is based on Firefox.

The vulnerability lies in the way that Firefox handles SVG animations and exploit code for the bug has been posted on a public Tor mailing list. The exploit uses JavaScript on a malicious web site to deliver a payload, which only works against Windows machines at the moment. The vulnerability exists on Linus and MacOS too.

“The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code.  It used this capability to collect the IP and MAC address of the targeted system and report them back to a central server,” Daniel Veditz of Mozilla said.

Veditz said Mozilla first got word of the vulnerability on Tuesday morning, a few hours before details of the bug and exploit code was posted on the Tor mailing list. Mozilla released the patch about a day later, and Tor also has released an update for the Tor Browser to address the issue.

“The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect,” the Tor Project said in the release notes for the new version of the browser.

Several security researchers have said that the exploit seen in the wild for this vulnerability is nearly identical to one known to have been used by the FBI in an investigation of a child exploitation site. Mozilla’s Veditz said there’s no direct confirmation that the exploits are the same.

“As of now, we do not know whether this is the case.  If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web,” he said.

Image: Akamdar, CC By 2.0 license.

Leave a Comment

Your email address will not be published.