Emergency Bulletin: Firefox 0 day in the wild. What to do. – Wordfence

https://www.wordfence.com/blog/2016/11/emergency-bulletin-firefox-0-day-wild/

Update now!

7 Comments

  1. Tomi Engdahl says:

    Firefox 0-day in the wild is being used to attack Tor users
    Publicly released exploit works reliably against a wide range of Firefox versions.
    http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/

    irefox developer Mozilla and Tor have patched the underlying vulnerability, which is found not only in the Windows version of the browser, but also the versions of Mac OS X and Linux.

    There’s a zero-day exploit in the wild that’s being used to execute malicious code on the computers of people using Tor and possibly other users of the Firefox browser, officials of the anonymity service confirmed Tuesday.

    Word of the previously unknown Firefox vulnerability first surfaced in this post on the official Tor website. It included several hundred lines of JavaScript and an introduction that warned: “This is an [sic] JavaScript exploit actively used against TorBrowser NOW.” Tor cofounder Roger Dingledine quickly confirmed the previously unknown vulnerability and said engineers from Mozilla were in the process of developing a patch.

    [tor-talk] Javascript exploit
    https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

    Reply
  2. Tomi Engdahl says:

    Firefox Zero-Day Exploit to Unmask Tor Users Released Online
    Tuesday, November 29, 2016 Swati Khandelwal
    http://thehackernews.com/2016/11/firefox-tor-exploit.html

    Hackers are actively exploiting a zero-day vulnerability in Firefox to unmask Tor Browser users, similar to what the FBI exploited during an investigation of a child pornography site.

    A Javascript zero-day exploit currently being actively exploited in the wild is designed to remotely execute malicious code on the Windows operating system via memory corruption flaw in Firefox web browser.

    The exploit code was publicly published by an admin of the SIGAINT privacy-oriented public email service on the Tor-Talk mailing list.

    The mailing list message reveals that the zero-day exploit affecting Firefox is currently being exploited against Tor Browser users by unknown attackers to leak the potentially identifying information of Tor users, officials of the anonymity service confirmed Tuesday.

    https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

    Reply
  3. Tomi Engdahl says:

    Tor Users Targeted With Firefox Zero-Day Exploit
    http://www.securityweek.com/tor-users-targeted-firefox-zero-day-exploit

    A JavaScript exploit leveraging a zero-day vulnerability in Firefox has been spotted in attacks aimed at Tor users. Mozilla and Tor Browser developers are expected to quickly release updates that address the security hole.

    Tor Patched Against Zero Day Under Attack
    https://threatpost.com/tor-patched-against-zero-day-under-attack/122176/

    Update The Tor Project has provided a browser update that patches a zero-day vulnerability being exploited in the wild to de-anonymize Tor users.

    Reply
  4. Tomi Engdahl says:

    Mozilla Patches Firefox Zero-Day Exploited to Unmask Tor Users
    http://www.securityweek.com/mozilla-patches-firefox-zero-day-exploited-unmask-tor-users

    Security updates released on Wednesday for Firefox and the Tor Browser address a zero-day vulnerability exploited to deanonymize Tor users. Evidence suggests that the exploit may have been used by a law enforcement agency in an operation targeting child pornography distributors.

    The exploit surfaced earlier this week and Mozilla immediately started working on a patch. According to the organization, the vulnerability leveraged by the exploit is a critical use-after-free affecting the SVG Animation component in Firefox.

    Mozilla resolved the flaw, tracked as CVE-2016-9079, with the release of Firefox 50.0.2, Firefox ESR 45.5.1 and Thunderbird 45.5.1. In the Tor Browser, which is based on Firefox, the issue has been addressed in version 6.0.7. The Tor Project told users that those who had set their security slider to “High” were not affected by the vulnerability.

    Reply
  5. Tomi Engdahl says:

    Newly Uncovered Tor Browser Exploit Targeted Dark Web Child Porn Site
    https://motherboard.vice.com/read/tor-browser-zero-day-exploit-targeted-dark-web-child-porn-site-giftbox

    On Tuesday, reports surfaced of an exploit being deployed in the wild against users of the anonymizing software Tor Browser. Like other Tor Browser exploits used in the past, it was likely used to target visitors of a dark web child pornography site, Motherboard has found.

    The existence of the exploit first emerged when a pseudonymous tipster published the code on a Tor mailing list.

    “This is an Javascript exploit actively used against TorBrowser NOW,” they wrote.

    Motherboard has found several reports that the code had been deployed on a Tor hidden service peddling child pornography

    active discussion on another child pornography site about the malware

    “NIT Found! Suspected to be Operated by Law Enforcement,” the entry continues. A NIT, or a network investigative technique, is a general term used by the FBI to describe the agency’s malware.

    On Tuesday, a pseudonymous user on Hacker News also said the exploit was used on the “CP site” GiftBox.

    The site administrators said they were shutting down the main GiftBox site on November 15

    The Tor Browser is based on Mozilla’s Firefox

    Joshua Yabut, a researcher who analyzed the exploit, told Ars Technica that the code is “100 percent effective for remote code execution on Windows systems.” The payload of this latest malware points to an IP address of 5.39.27.226, a server in France belonging to hosting provider OVH.

    The code for the exploit has been public for nearly 24 hours now, meaning there is a chance that others may have attempted to use it themselves before it had been patched.

    Reply
  6. Tomi Engdahl says:

    The shellcode used is almost exactly the shellcode of the 2013 one https://tsyrklevich.net/tbb_payload.txt …except it builds sockaddr_in on the stack.

    Source: https://twitter.com/TheWack0lian/status/803736507521474560

    Reply
  7. Tomi Engdahl says:

    Tor Browser vulnerability used to attack visitors to a child porn site
    http://www.theverge.com/2016/11/30/13799498/tor-browser-vulnerability-child-porn-fbi-exploit

    A child pornography site called Giftbox has been attacking its users with a newly discovered exploit in the Tor Browser, according to an exclusive report from Motherboard. According to one user, the exploit was present on the main page, giving attackers a clear way to plant malware on any computer that visited the site.

    It’s not clear what the attackers used the exploit for, or what any resulting programs might have done, but such an exploit would have been an easy way for law enforcement to track down anyone visiting the illegal site.

    The new exploit isn’t an attack on Tor itself, which disguises traffic by routing it through a larger network. Instead, the attack focuses on the Tor Browser, a modified version of Firefox designed for connecting to websites that can only be accessed through the Tor network.

    There’s no clear evidence for who’s behind the attack, but the tactics are very similar to a number of recent FBI operations. In 2013, the FBI took down a number of hidden services on the Freedom Hosting network, employing a similar browser-based exploit. A year later, the FBI took control of a child porn site called Playpen and — rather than shutting the site down — used it to actively seed tracking malware to its visitors, using that information to identify and prosecute them.

    That operation is still legally controversial, but soon it will be much easier for US judges to authorize similar hacks. On December 1st, new amendments to the rules of criminal procedure are set to take effect, allowing judges to write warrants for networked computers regardless of their location.

    That new legal power, combined with the growing availability of law enforcement malware, would make it much easier for agencies to target and prosecute anonymous figures online, potentially causing significant collateral damage to systems in the process.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*