Tor users at risk of having their anonymity stripped via attacks exploiting Firefox zero-day

Wait a second… this looks familiar…

Firefox

Attackers are currently exploiting a zero-day vulnerability in the Firefox web browser to strip anonymity from Tor users.

News of the security hole first emerged on Tor Talk, a mailing list for users who are interested in onion routing. There, an admin for the privacy-centric organization SIGAINT published exploit code for the vulnerability as well as the following introduction:

"This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to 'VirtualAlloc' in 'kernel32.dll' and goes from there."

The code makes use of a memory corruption vulnerability in Firefox versions 45-50 to execute code on computers running Windows. Security researcher Joshua Yabut analyzed the exploit and said it's specifically targeting a heap overflow bug to achieve remote code execution.

Upon successful exploitation, the attack sends a unique identifier about each victim's computer to a server at 5.39.27.226, a French IP address that as of this writing was down.

TorSo what's the big deal?

The exploit threatens the privacy of Tor users (and maybe even some Firefox users) in much the same way as a campaign created by the FBI did back in 2013. For that attack, the FBI used code to deanonymize visitors of a child abuse website and send their data to a server located at 65.222.202.54.

These two attacks aren't that dissimilar.

In fact, a security researcher who goes by the Twitter handle @TheWack0lian told Ars Technica that the two campaigns are essentially identical:

"It's basically almost EXACTLY the same as the payload used in 2013. It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed."

Mozilla is currently working on a fix for the Firefox bug, which Tor co-founder Roger Dingledine confirmed on 29 November.

While we await a patch, Firefox users should disable JavaScript using a plugin like NoScript, and Tor users should should consider making use of privacy measures other than the Tor browser.

For instance, they could consider using a VPN, searching only via the DuckDuckGo search engine, and not employing Firefox as their web browser of choice.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

4 Responses

  1. Jack

    December 1, 2016 at 12:37 pm #

    This is a good thing, the fed spooks are going to lose this snooping hole once it's patched. For TOR users, this is great news that this vulnerability/exploit was discovered.

    • Bob in reply to Jack.

      December 1, 2016 at 12:52 pm #

      It's been around since 2013. This is a simple re-coding of the same vulnerability.

      The sooner it's properly fixed, the better.

  2. IanH

    December 2, 2016 at 7:05 pm #

    I'm very happy to be known to be using Tor. I think everyone should use it. The more we fill up the snoopers' inboxes with white noise the more they might get the idea that targetted surveillance might be a better idea.

    • kilroy in reply to IanH.

      December 3, 2016 at 2:21 pm #

      Targeted surveillance is racist, discriminatory, prejudiced, a right-wing conspiracy, and President Trump's fault.
      Better to punish the entire population of planet Earth than to single out a single wrongdoer.

Leave a Reply