Mozilla and the Tor Project have released security updates that fix the Firefox 0-day flaw that was spotted being exploited to de-anonymize Tor Browser users.
It is still unknown who started wielding the exploit initially, although it’s similarity to a previous one used by the FBI in 2013 to target users of hidden services seems to point in that direction.
The vulnerability (CVE-2016-9079) affects SVG Animation module in Firefox and in Tor Browser, since the latter is based on the former (specifically, on the Firefox ESR browser).
The use-after-free, remote code execution flaw is likely being exploited to reveal information about the machine (MAC address), and through it the identity of its user. But, according to GData Software researchers, no persistent threat is left on the target computer, as everything is done in memory.
Firefox users should upgrade to version 50.0.2, Firefox ESR users to version 45.5.1, and Thunderbird users to version 45.5.1, as soon as possible. The exploit code has been made public, and cyber criminals are likely to start using it soon – if they aren’t already.
Tor Browser users should upgrade to version 6.0.7.
“The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well,” Tor Browser developer Georg Koppen explained, and added that “Tor Browser users who had set their security slider to ‘High’ are believed to have been safe from this vulnerability.”