Mozilla scrambling to address security attacks on Tor users

Mozilla scrambling to address security attacks on Tor users

A Javascript zero-day vulnerability affecting the Mozilla Firefox web browser is now being actively exploited against The Onion Router (TOR) anonymising network users by unknown attackers.

Mozilla is expected to release a security patch in the near future for Firefox, whose vulnerability is apparently exploited to attack Tor users. It consists of one HTML and one CSS file. Early analyses suggest it requires JavaScript to be enabled in the browser. "It sounds like the immediate next step is that Mozilla finishes their patch for it; then the step after that is a quick Tor Browser update".

Attack code exploiting a use-after-free vulnerability in Firefox first circulated Tuesday on a Tor discussion list and was quickly confirmed as a zero-day, the term given to vulnerabilities that are actively exploited in the wild before the developer has a patch in place. Tor Project co-founder and president Roger Dingledine said Mozilla is aware of the issue and is working on a patch.

Besides an update for Firefox, Wednesday's Tor release also includes an update to NoScript, a Firefox extension that ships with the Tor browser.

Security researcher and CEO of TrailofBits, Dan Guido, notes that macOS is also vulnerable. Because the initial post to the Tor group included the complete source code, the highly reliable exploit is now in the hands of potentially millions of people.

It is not known who is behind the current Javascript exploit, which attempts to send information to a server in France. "If you want to see one of those, check out Pegasus which had to deal with code signing and JIT pages". "Pwn2Own 2012-level tech", Guido said.

Window users out there: if the potential exploit bothers you, your best bet would be Chrome or Edge, which should be more hard to exploit due to memory partitioning. The attack allowed the Federal Bureau of Investigation to tag Tor browser users who believed they were anonymous while visiting a "hidden" child porn site on Freedom Hosting; the exploit code forced the browser to send information such as MAC address, hostname and IP address to a third-party server with a public IP address; the feds could use that data to obtain users' identities via their ISPs.

Tor Browser users are irreversibly tied to the security features provided by Firefox.

Guido also says the exploit isn't related to any Metasploit Framework modules, and that the "version regex in the exploit matches Firefox 49, and the specific user-agent that the Tor Browser Bundle uses". If they want to keep Tor Browser up and running, then they should consider donating to Mozilla, who is now showing a donation form on the Firefox Start Page.