Wordfence wrote:Update at 2:32pm PST / 5:32pm EST: Firefox released a fix for this a few minutes ago. Update to Firefox 50.0.2 now to patch this vulnerability. Tor have also released a fix with version 6.0.7 of their browser.There is also a Thunderbird fix out, version 45.5.1.
Last edited by b0b on 30 Nov 2016 4:54 pm, edited 2 times in total.
Ok. That was startling. Done (switched to Chrome.)
Been on FF for around 6 hours today including an update this morning. Wonder how to tell if I've been bugged.
This 0-day is targeting a specialized version of Firefox, known as the Tor Browser. It is redirecting Tor users to a now offline server in France. This is a JavaScript exploit, which is fairly common in the cybercrime underworld. Firefox users who have the NoScript Add-on enabled will not be impacted, whether on the Dark Web (Tor) or the Bright Web.
As is typical, Mozilla will release a patch to everybody after analyzing the exploit code. Tor Browser will probably get a fix first.
Tor Onion websites are fraught with danger anyway.
Last edited by Wiz Feinberg on 30 Nov 2016 9:48 am, edited 1 time in total.
Jon Light wrote:Ok. That was startling. Done (switched to Chrome.)
Been on FF for around 6 hours today including an update this morning. Wonder how to tell if I've been bugged.
Did you visit any Onion websites on Tor? Are you using the Firefox Tor browser?
Firefox for Windows update (50.0.2) is now available. If you don't want to wait for it to be pushed to you, in FF go to 'help / about' and the new version will be downloaded.
Happy about the update, but this zero-day was specifically written to expose the location of users of the Dark Web (Tor). There was no malicious code involved, just IP leakage. See this Malwarebytes article for more details.
Yes, this particular exploitation of the hole in FF was used for that purpose. The bigger concern was that once the vulnerability had been made public, other malicious payloads could/would take advantage of the now-known problem in Firefox and be delivered for purposes other than the Tor exposure. That is why FF needed to patch it so quickly.
Update at 2:32pm PST / 5:32pm EST: Firefox released a fix for this a few minutes ago. Update to Firefox 50.0.2 now to patch this vulnerability. Tor have also released a fix with version 6.0.7 of their browser.There is also a Thunderbird fix out, version 45.5.1.
