As expected, Mozilla released a new version of Firefox on Wednesday to address a zero-day vulnerability that was actively being exploited to de-anonymize Tor Browser users.

The vulnerability, disclosed on a public Tor Project mailing list late Tuesday night, forced the Tor Project to also issue an emergency update (6.0.7) in its Tor Browser – which is partially built on open source Firefox code – on Wednesday.

According to Daniel Veditz, who leads Mozilla’s security team, Firefox users should have their browsers automatically updated at some point over the next 24 hours. If they’d rather not wait, users can download the updated versions – Firefox 50.0.2, Firefox ESR 45.5.1, and Thunderbird 45.5.1. – manually.

The issue, a use-after-free vulnerability, technically existed in an object, nsSMILTimeContainer, which is used to facilitate SVG animation in Firefox. Assuming an attacker could trick a user into visiting specially-crafted web content, they could have leveraged the vulnerability to remotely execute arbitrary code on the system.

Veditz said Wednesday afternoon that because of the way the vulnerability behaved, it was collecting and forwarding IP and MAC addresses thought to be private and forwarding them back to a central server.

“The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code. It used this capability to collect the IP and MAC address of the targeted system and report them back to a central server. While the payload of the exploit would only work on Windows, the vulnerability exists on Mac OS and Linux as well,” Veditz wrote.

Veditz acknowledged many security researchers surmised on Twitter Wednesday that the way ToR vulnerability worked was similar to the way the FBI de-anonymized Tor users in 2013. While Veditz stopped short of saying the exploit was created by the FBI or law enforcement, he did float the idea and warned how it could pose a serious threat to privacy.

“As of now, we do not know whether this is the case. If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web,” Veditz said.

Categories: Privacy, Vulnerabilities, Web Security