Mozilla and Tor Warn of Critical Firefox Vulnerability, Urge Users to Update

Thursday December 1, 2016 3:11 AM PST by Tim Hardwick
Mozilla and Tor have published browser updates to patch a critical Firefox vulnerability used to deanonymize users (via ArsTechnica).

Privacy tool Tor is based on the open-source Firefox browser developed by Mozilla, which received a copy of the previously unknown JavaScript-based attack code yesterday. Mozilla said in a blog post that the vulnerability had been fixed in a just-released version of Firefox for mainstream users.

tor-firefox-logo
The code execution flaw was reportedly already being exploited in the wild on Windows systems, but in an advisory published later on Wednesday, Tor officials warned that Mac users were vulnerable to the same hack.
"Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."
The exploit is capable of sending the user's IP and MAC address to an attacker-controlled server, and resembles "network investigative techniques" previously used by law-enforcement agencies to unmask Tor users, leading some in the developer community to speculate that the new exploit was developed by the FBI or another government agency and was somehow leaked. Mozilla security official Daniel Veditz stopped short of pointing the finger at the authorities, but underlined the perceived risks involved in attempts to sabotage online privacy.
"If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web."
The Firefox attack code first circulated on Tuesday on a Tor discussion list and was quickly confirmed as a zero-day exploit – the term given to vulnerabilities that are actively used in the wild before the developer has a patch in place.

The latest Tor update that fixes the vulnerability is version 6.0.7 and can be downloaded here.

Vanilla Firefox users can download the update to their browser manually from here.

Tags: privacy, Firefox, Tor browser
16 comments

Top Rated Comments

(View all)
Avatar
MacBH928
42 months ago
I don't know who these people who work to assure our privacy and give us products for free... but thank you!
Rating: 6 Votes
Avatar
Krafty
42 months ago

People still use Mozilla?

Yes, we do.
Rating: 5 Votes
Avatar
Michaelgtrusa
42 months ago
Firefox is still a great browser and yes, I still use it.
Rating: 4 Votes
Avatar
Kajje
42 months ago
I've downloaded 50.0.1 this morning, now 50.0.2 is available.
To force upgrade: Open Menu Firefox, About Firefox, there's the update button.
And open the same menu again to restart Firefox.

*** Just going to Firefox.com might show that you've the latest version running, even if you're still on 50.0.1 But you're probably not running the latest version so use the above to upgrade.
Rating: 3 Votes
Avatar
Rigby
42 months ago

Mozilla, please make sure you update your ESR versions as well for those of us who are unable to run you latest release on perfectly good devices.

Firefox ESR 45.5.1 ('https://www.mozilla.org/en-US/firefox/45.5.1/releasenotes/') includes the security fix.

This includes iOS users as well that can't run iOS 9 & 10. Thank you.

I doubt the iOS version is affected, as it uses Apple's Webkit layout engine rather than Mozilla's Gecko (which is used in the desktop version).
Rating: 3 Votes
Avatar
miknos
42 months ago
If you need to use TOR, disable javascript.
Rating: 3 Votes
Avatar
RMo
42 months ago

Mozilla, please make sure you update your ESR versions as well for those of us who are unable to run you latest release on perfectly good devices.


"ESR" stands for "extended support release." What you're looking for is precisely why the ESR branch is labeled as such: they continue to provide security updates to it for the length of its support cycle, which is longer--i.e., extended--compared to that of the mainstream versions. As another noted, the latest release, 45.5.1, includes this fix, which is what you should expect to happen if the ESR branch is affected.

This includes iOS users as well that can't run iOS 9 & 10. Thank you.

It, in fact, does not--Apple doesn't let people publish apps that can execute arbitrary code on the device, so Firefox is basically a wrapper around the same engine Safari uses (and is Chrome and pretty much any other browser on iOS, though notably not Opera Mini, which gets around this by doing most of the work on Opera's servers). The iOS app is not affected since it is an issue with the JavaScript and SVG engines. However, even it were, old versions of Firefox on iOS are not considered "ESR," and Mozilla never promised to keep an old branch updated. (Such a practice is very rare, if not completely unheard of, for mobile apps in general.)

What's more interesting to me is the actual exploit ('https://blog.mozilla.org/security/2016/11/30/fixing-an-svg-animation-vulnerability/') details. Mozilla suggests that it might be an exploit intentionally created by the FBI or other government agency because it sounds similar to a technique they once used to de-anonymize Tor users. The exploit itself is a security concern regardless, however, because it allows the execution of an arbitrary payload.
Rating: 2 Votes
Avatar
maflynn
42 months ago
People still use Mozilla? I thought most folks moved on to Chrome, or Safari.

For no other reason, then just because. I've migrated off of Mozilla, Safari seems decent enough
Rating: 2 Votes
Avatar
C DM
42 months ago

Firefox is crap. Who the hell is still using it?

Seems like that was asked ealsier with some replies abot it that were posted afterward.
Rating: 2 Votes
Avatar
Kajje
42 months ago

People still use Mozilla? I thought most folks moved on to Chrome, or Safari.

For no other reason, then just because. I've migrated off of Mozilla, Safari seems decent enough

In many corporate environments, Firefox is - still - the browser of choice.

Some of them switched to Firefox around the time of Internet Explorer 6 (in the Windows 2000 / XP era) because IE6 was crap. When the new IE's came out they were improved, but not better than the current FF of that time.
Then many of these corporate networks allowed mixed OS'es and FF is something that worked on all of them.

Perhaps Chrome would have won the race if it came in earlier, but FF still did/does the job.
Changing browser company wide could be a serious endeavor with a significant risk applications don't run as they should. Having a multi-platform browser and ESR are important for these environments.

And that's one of the reasons why today people indeed still use Mozilla. I have been using FF since corporate forced me to do so about 10 years ago. Since then I also used it on my personal machines. And I cannot say I regret it. It never let me down since the first day and it became part of the family.

I honestly envy you for using Safari. I've tried a couple times to switch, but it doesn't feel good. Now I fire up Safari just to tune into the keynotes live streams. Chrome is started briefly to enter certain apps that are not compatible with FF nor Safari.

That being said I haven't installed Firefox on iOS. Strangly Safari feels good enough while doing the occasional browse on the road. As we spend more and more time inside the browser it becomes a very personal thing. Habits are difficult to change.
Rating: 1 Votes
[ Read All Comments ]