pixel_dreams - Fotolia

Mozilla and Tor issue patches for Firefox flaw exposing Tor users

Users of Tor anonymous browsing urged to update to the latest versions of relevant software to block an exploit that collects IP and MAC addresses to identify users

Mozilla and the Tor Project have issued software updates to block attackers using a zero-day Firefox vulnerability to identify users of the Tor anonymous web browsing services.  

The Tor browser is based on the open-source Firefox browser developed by the Mozilla Foundation.

The latest version of the Firefox browser is 50.0.2, the Tor Browser was updated to 6.0.7, and the Tails OS (operating system), which uses the Tor network, has also been updated to version 2.7.1.

Although the Firefox vulnerability is believed to have been used only against Windows users, it could theoretically be used against Mac OS X and Linux users, according to Neowin.

Mozilla said existing copies of Firefox should update automatically, but that users may also download the updated version manually.

The update was released after Mozilla was provided with code for an exploit using a previously unknown vulnerability in Firefox on 29 November 2016.

The code was also posted in a Tor discussion group, which meant that a highly reliable exploit quickly became available to millions of people.

The exploit takes advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG (scalable vector graphics) code. 

It uses this capability to collect the IP address and MAC address of the targeted system and report them back to a central server, Mozilla security lead Daniel Veditz wrote in a blog post.

“The exploit in this case works in essentially the same way as the ‘network investigative technique’ used by FBI to deanonymize Tor users (as the FBI described it in an affidavit).

“This similarity has led to speculation that this exploit was created by the FBI or another law enforcement agency,” he said.

Read more about the Tor browser

  • A leading developer of the open source Tor browser for anonymous web surfing claims some UK and US spies are helping fix flaws exploited by state intelligence agencies.
  • New threats add to the Tor anonymity debate, as a new browser aims to take anonymous browsing to the next level.
  • A court filing is asking the FBI for responsible disclosure of the Tor vulnerability used to exploit the Tor browser and de-anonymise users during a criminal investigation.

If this was in fact developed and deployed by a government agency, Veditz said the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader web.

Users of the Tor browser are encouraged to update all their browsing software to the latest versions and to restart their Tor browser after updating.

According to the release notes for latest version of Firefox, the underlying vulnerability is identified as CVE-2016-9079 and is rated as critical.

A separate Mozilla security advisory shows the flaw also affects Mozilla’s Thunderbird e-mail application, as well as the Firefox Extended Support release version used by the Tor browser, reports Ars Technica.

A thread on an online forum for discussing Firefox bugs indicated the critical flaw has existed in the browser code base for five years.

News of the exploit has raised concerns that it may have been used to unmask political dissidents or innocent users of the Tor anonymity services.

Read more on Privacy and data protection

Data Center
Data Management