Firefox 0day in the wild is being used to attack Tor users

[therube]

Firefox 0day in the wild is being used to attack Tor users

Publicly released exploit works reliably against a wide range of Firefox versions.

Dan Goodin - Nov 30, 2016 1:50 am UTC

There's a zero-day exploit in the wild that's being used to execute malicious code on the computers of people using Tor and possibly other users of the Firefox browser, officials of the anonymity service confirmed Tuesday.

Word of the previously unknown Firefox vulnerability first surfaced in this post on the official Tor website. It included several hundred lines of JavaScript and an introduction that warned: "This is an [sic] JavaScript exploit actively used against TorBrowser NOW." Tor cofounder Roger Dingledine quickly confirmed the previously unknown vulnerability and said engineers from Mozilla were in the process of developing a patch. ...

http://arstechnica.com/security/2016/11 ... d-in-2013/

[barbaz]

IIUC from the article, only Firefox on Windows is being exploited. But is the vulnerability in question specific to Windows Firefox, or does it apply to Linux64 as well?

[Thrawn]

Well, the specific real-world exploit targeted Windows components. There's not enough detail to say whether it could have targeted *nix, or whether the bug wouldn't apply there.

[barbaz]

https://www.mozilla.org/security/adviso ... sa2016-92/

[barbaz]

.. and the fix is now released -
https://www.mozilla.org/firefox/50.0.2/releasenotes/
https://www.mozilla.org/firefox/45.5.1/releasenotes/

[barbaz]

http://arstechnica.com/security/2016/11 ... ve-attack/
No, the vuln is not Windows-specific.

[therube]

So NoScript appears to block the exploit (well at least I can't get [SeaMonkey 2.46] to crash with NoScript installed [& it does otherwise] [& at least with the testcase I used).

Not sure why it does, but not going to argue about that.


BTW, FF 50.0.2 crashes the tab, SeaMonkey crashes the browser.
(Multiprocess enabled in FF.)

[Thrawn]

The bug relies on JavaScript to work. If you leave the test site blocked, you've disarmed it.

[Lurion]

Pisses me off that so many websites today are deepthroating javascript and are totally refusing to run without it.

[Thrawn]

totally refusing to run without it.

You can sometimes fight back with surrogate scripts.

[johnscript]

(..)
Word of the previously unknown Firefox vulnerability first surfaced in this post on the official Tor website. It included several hundred lines of JavaScript and an introduction that warned: "This is an [sic] JavaScript exploit actively used against TorBrowser NOW." Tor cofounder Roger Dingledine quickly confirmed the previously unknown vulnerability and said engineers from Mozilla were in the process of developing a patch. ...

Is that post still accessible? Did it contain the actual testcase?

[Giorgio Maone]

Is that post still accessible? Did it contain the actual testcase?

https://lists.torproject.org/pipermail/ ... 42639.html

[johnscript]

Thanks, Giorgio - I was looking in the wrong place.

It states

it consists of one HTML and one CSS file

I'll admit my ignorance here: these files weren't just floating around somewhere on the internet, for them to work they had to be maybe injected in some websites, either on the fly by MTM or tampering with these websites, right?
If so, do we have any names for such websites - or was it some kind of attack that could happen on any website really ?

[Giorgio Maone]

these files weren't just floating around somewhere on the internet, for them to work they had to be maybe injected in some websites, either on the fly by MTM or tampering with these websites, right?
If so, do we have any names for such websites - or was it some kind of attack that could happen on any website really ?

I don't know for sure, since the original reported didn't tell where he found it, but by the look of the payload it seems a state-sponsored exploit and therefore it could be injected in any non-encrypted web page given a cooperative ISP.