Mozilla, Tor Issue Critical Update for Actively Exploited Firefox Vulnerability

An unknown Firefox vulnerability which originally came to light in a post on the official Tor website, has now been fixed by Mozilla and Tor. The exploit takes advantage of a memory corruption vulnerability that allows malicious payload to send the targets IP and MAC address to an anonymous server.

The Motherboard found several reports that point to this code being used on a Tor hidden service called the Giftbox, which is used to peddle child pornography. This is very similar to the technique used by the FBI back in 2013 to identify users who were trading child pornography, over the Tor network. However, now that this very same code is out in the wild, anyone can exploit it with some changes to the code.

Daniel Veditz from Mozilla, stated in a blog post, “This similarity has led to speculation that this exploit was created by FBI or another law enforcement agency. As of now, we do not know whether this is the case. If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web.” Mozilla issued an update to Firefox on Wednesday that it says will roll out automatically to existing users - but users can also update their browsers via the company site.

The Tor browser is built using Firefox as its base. The latest version (6.0.7) is now available for download and is said to fix this issue. The official Tor blog post states that this security flaw is currently being actively exploited on Windows systems and that Mac and Linux users are most likely also affected, although the exploit is being actively present on the latter to platforms as of now.

The blog post by Tor strongly recommends updating the browser immediately if that’s something you use for surfing the Web. If you have the security slider set to ‘High’ then your chances are better, although doing so might prevent most websites that use JavaScript from working properly. Updates to the alpha and hardened versions of Tor are on the way so till then, it’s recommended to switch to the stable release.