Mozilla and Tor users are being urged to download updates to patch a critical Firefox vulnerability used to deanonymize users.
“The security flaw responsible for this urgent release is already actively exploited on Windows systems,” a Tor official wrote in an advisory published Wednesday afternoon. “Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately.”
The Tor privacy tool is based on the open-source Mozilla Firefox browser. Mozilla yesterday became aware of the previously unknown attack code, and has fixed the vulnerability in a just-released version of Firefox released for the general public.
While the code has been reported in the wild, so far affecting only Windows systems, Tor on Wednesday advised users that Mac systems were also vulnerable to the same attack.
“Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately.”
The attack can be launched when a browser loads malicious JavaScript and code based on scalable animation vector graphics. The exploit can then send the target’s IP and MAC address to the bad guys’ server. The code resembles that of techniques used by law-enforcement agencies in the past. A similar exploit was used by the FBI in 2013 to identify Tor users who were trading child pornography.
While it hasn’t been shown that the code is actually an offshoot of the exploit used by the government, Mozilla security official Daniel Veditz commented, reminding everyone of the threat of “supposedly limited government hacking” to the web in general.
“If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web.”
The Tor version that fixes the vulnerability is version 6.0.7 and can be downloaded here. Firefox users can download the update here.
(Via MacRumors)