Firefox Zero-Day Exploit to Unmask Tor Users Released Online
Hackers are actively exploiting a zero-day vulnerability in Firefox to unmask Tor Browser users, similar to what the FBI exploited during an investigation of a child pornography site.

Tor (The Onion Router) is an anonymity software that not only provides a safe heaven to human rights activists, journalists, government officials, but also is a place where drugs, assassins for hire, child pornography, and other illegal activities has allegedly been traded.

A Javascript zero-day exploit currently being actively exploited in the wild is designed to remotely execute malicious code on the Windows operating system via memory corruption flaw in Firefox web browser.

The exploit code was publicly published by an admin of the SIGAINT privacy-oriented public email service on the Tor-Talk mailing list.

The mailing list message reveals that the zero-day exploit affecting Firefox is currently being exploited against Tor Browser users by unknown attackers to leak the potentially identifying information of Tor users, officials of the anonymity service confirmed Tuesday.

Tor Browser Bundle is a repackaged version of Mozilla Firefox web browser that runs connections through the Tor anonymizing network configured to hide its user's public IP address.
"[The exploit code] consists of one HTML and one CSS file, both pasted below and also de-obscured," the author says. "The exact functionality is unknown, but it is getting access to VirtualAlloc in kernel32.dll and goes from there."
That means, when exploit opened by a Firefox or Tor Browser with Javascript enabled on a Windows computer, it leverage a memory corruption vulnerability in the background to make direct calls to kernel32.dll, which allows malicious code to be executed on computers running Windows.

Researchers also found that the exploit submits users' machine details to (a remote server hosted on the OVH-hosted virtual machine in France) on port 80, which is no longer responding at the time of writing.

Although security researchers are still analyzing the Tor exploit code, a disassembly of it shows the latest zero-day flaw is very similar to a separate Tor Browser exploit that emerged in 2013.

The 2013 exploit was the work of the United States FBI, which was targeting Tor users who accessed child pornography.

Although Mozilla is scrambling to patch the critical vulnerability, it is still unknown who is behind the current Javascript exploit.
"So it sounds like the immediate next step is that Mozilla finishes their patch for it then…a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," Tor Project lead Roger Dingledine said.
The critical vulnerability is believed to affect multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.