Mozilla Patches Firefox Zero-Day Exploited to Unmask Tor Users

Security updates released on Wednesday for Firefox and the Tor Browser address a zero-day vulnerability exploited to deanonymize Tor users. Evidence suggests that the exploit may have been used by a law enforcement agency in an operation targeting child pornography distributors.

The exploit surfaced earlier this week and Mozilla immediately started working on a patch. According to the organization, the vulnerability leveraged by the exploit is a critical use-after-free affecting the SVG Animation component in Firefox.

Mozilla resolved the flaw, tracked as CVE-2016-9079, with the release of Firefox 50.0.2, Firefox ESR 45.5.1 and Thunderbird 45.5.1. In the Tor Browser, which is based on Firefox, the issue has been addressed in version 6.0.7. The Tor Project told users that those who had set their security slider to “High” were not affected by the vulnerability.

The exploit has been analyzed by several organizations. Mozilla said the attackers used it to execute arbitrary code on targeted systems by getting the targeted individual to open a webpage containing specially crafted JavaScript and SVG code. The payload is designed to harvest the targeted system’s IP and MAC address and send it back to a remote server.

“In this case, for example, the goal is to leak user data with as minimal of a footprint as possible. There’s no malicious code downloaded to disk, only shell code is ran directly from memory,” explained researchers at Malwarebytes.

The exploit has been designed to work only on Windows systems, but the vulnerability affects Linux and Mac OS as well. Memory partitioning mitigations make this flaw difficult to exploit in Chrome and Edge.

G Data researchers have also analyzed the shellcode and they determined that it “looks clean and organized” and “it contains error checking and cleans up after it has fulfilled its purpose.”

The researcher known online as “TheWack0lian” determined that the payload is similar to the one used by the FBI in 2013 to identify Tor users suspected of being child-pornography traders. A user reported on Hacker News that the exploit was loaded on the login confirmation page of a dark web child pornography website called Giftbox.

Earlier this year, Mozilla asked a court in the Western District of Washington to require the government to disclose a flaw exploited by law enforcement in 2015 in a different operation aimed at child pornography suspects.

“The exploit in this case works in essentially the same way as the ‘network investigative technique’ used by FBI to deanonymize Tor users (as FBI described it in an affidavit). This similarity has led to speculation that this exploit was created by FBI or another law enforcement agency,” Daniel Veditz, security lead at Mozilla, said in a blog post on Wednesday.

“As of now, we do not know whether this is the case. If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web,” Veditz added.