Firefox 0day in the wild is being used to attack Tor users

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
therube
Ambassador
Posts: 7408
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Firefox 0day in the wild is being used to attack Tor users

Post by therube » Wed Nov 30, 2016 4:01 am

Firefox 0day in the wild is being used to attack Tor users

Publicly released exploit works reliably against a wide range of Firefox versions.

Dan Goodin - Nov 30, 2016 1:50 am UTC

There's a zero-day exploit in the wild that's being used to execute malicious code on the computers of people using Tor and possibly other users of the Firefox browser, officials of the anonymity service confirmed Tuesday.

Word of the previously unknown Firefox vulnerability first surfaced in this post on the official Tor website. It included several hundred lines of JavaScript and an introduction that warned: "This is an [sic] JavaScript exploit actively used against TorBrowser NOW." Tor cofounder Roger Dingledine quickly confirmed the previously unknown vulnerability and said engineers from Mozilla were in the process of developing a patch. ...

http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46

barbaz
Senior Member
Posts: 9144
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox 0day in the wild is being used to attack Tor use

Post by barbaz » Wed Nov 30, 2016 4:34 am

IIUC from the article, only Firefox on Windows is being exploited. But is the vulnerability in question specific to Windows Firefox, or does it apply to Linux64 as well?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Firefox 0day in the wild is being used to attack Tor use

Post by Thrawn » Wed Nov 30, 2016 4:50 am

Well, the specific real-world exploit targeted Windows components. There's not enough detail to say whether it could have targeted *nix, or whether the bug wouldn't apply there.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 9144
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox 0day in the wild is being used to attack Tor use

Post by barbaz » Wed Nov 30, 2016 10:14 pm

*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9144
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox 0day in the wild is being used to attack Tor use

Post by barbaz » Wed Nov 30, 2016 10:48 pm

*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9144
Joined: Sat Aug 03, 2013 5:45 pm

Re: Firefox 0day in the wild is being used to attack Tor use

Post by barbaz » Thu Dec 01, 2016 4:31 am

*Always* check the changelogs BEFORE updating that important software!
-

User avatar
therube
Ambassador
Posts: 7408
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Firefox 0day in the wild is being used to attack Tor use

Post by therube » Fri Dec 02, 2016 3:31 am

So NoScript appears to block the exploit (well at least I can't get [SeaMonkey 2.46] to crash with NoScript installed [& it does otherwise] [& at least with the testcase I used).

Not sure why it does, but not going to argue about that.


BTW, FF 50.0.2 crashes the tab, SeaMonkey crashes the browser.
(Multiprocess enabled in FF.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 Lightning/.4.46

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Firefox 0day in the wild is being used to attack Tor use

Post by Thrawn » Sun Dec 04, 2016 11:42 pm

The bug relies on JavaScript to work. If you leave the test site blocked, you've disarmed it.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Lurion
Junior Member
Posts: 36
Joined: Wed Jul 23, 2014 12:38 pm

Re: Firefox 0day in the wild is being used to attack Tor use

Post by Lurion » Mon Dec 05, 2016 7:46 am

Pisses me off that so many websites today are deepthroating javascript and are totally refusing to run without it.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Firefox 0day in the wild is being used to attack Tor use

Post by Thrawn » Mon Dec 05, 2016 10:57 pm

Lurion wrote:totally refusing to run without it.

You can sometimes fight back with surrogate scripts.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: Firefox 0day in the wild is being used to attack Tor use

Post by johnscript » Tue Dec 06, 2016 11:33 am

therube wrote:(..)
Word of the previously unknown Firefox vulnerability first surfaced in this post on the official Tor website. It included several hundred lines of JavaScript and an introduction that warned: "This is an [sic] JavaScript exploit actively used against TorBrowser NOW." Tor cofounder Roger Dingledine quickly confirmed the previously unknown vulnerability and said engineers from Mozilla were in the process of developing a patch. ...


Is that post still accessible? Did it contain the actual testcase?
Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Firefox 0day in the wild is being used to attack Tor use

Post by Giorgio Maone » Tue Dec 06, 2016 12:51 pm

johnscript wrote:Is that post still accessible? Did it contain the actual testcase?

https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0

johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: Firefox 0day in the wild is being used to attack Tor use

Post by johnscript » Tue Dec 13, 2016 11:38 am

Thanks, Giorgio - I was looking in the wrong place.

It states
it consists of one HTML and one CSS file

I'll admit my ignorance here: these files weren't just floating around somewhere on the internet, for them to work they had to be maybe injected in some websites, either on the fly by MTM or tampering with these websites, right?
If so, do we have any names for such websites - or was it some kind of attack that could happen on any website really ?
Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

User avatar
Giorgio Maone
Site Admin
Posts: 8697
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Firefox 0day in the wild is being used to attack Tor use

Post by Giorgio Maone » Tue Dec 13, 2016 11:46 am

johnscript wrote:these files weren't just floating around somewhere on the internet, for them to work they had to be maybe injected in some websites, either on the fly by MTM or tampering with these websites, right?
If so, do we have any names for such websites - or was it some kind of attack that could happen on any website really ?

I don't know for sure, since the original reported didn't tell where he found it, but by the look of the payload it seems a state-sponsored exploit and therefore it could be injected in any non-encrypted web page given a cooperative ISP.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0

Post Reply