A vulnerability in Mozilla’s Firefox browser is currently being used to attack Tor Browser users. Both Mozilla and the Tor Project released patches for the vulnerability today, and the two organizations recommend everyone to update their browsers immediately.
Memory Corruption Bug Actively Exploited On Windows
The vulnerability, along with the code that exploits it in the wild, was found by an independent security researcher who alerted the Tor Project developers on the organization’s mailing list. The exploit code seems to work only on Windows and can directly call kernel32.dll, a core part of Windows.
It also seems to share most of the code with a 2013 exploit used by the FBI against the Tor browser. Therefore, it was either the FBI using it again, or someone that repurposed the code for their own malicious objectives. However, it’s typically governments that try to actively exploit the Tor browser, so chances that it was a random individual hacker are rather slim.
The Tor Project was alerted with the following message, followed by the exploit code:
“This is an Javascript exploit actively used against TorBrowser NOW,” warned the security researcher.“It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to "VirtualAlloc" in "kernel32.dll" and goes from there. Please fix ASAP,” he urged.
The exploit code was a combination of HTML, CSS, and JavaScript. The code could be hosted on a website, and when a user would visit it through Tor or Firefox, it would construct an SVG file that would then trigger a “user-after-free” (UAF) memory corruption in the SVG parser of Firefox and Tor. This would be used to leak the user’s real IP, which would be collected by an online server (which is now offline). The server was located at the IP address 5.39.27.226 and could be accessed through port 80.
Firefox, Behind The Pack On Security
Dan Guido, the CEO of Trail of Bits, a security research company, mentioned on Twitter that the exploit is not that advanced, but it can cause significant damage because of Firefox's weak security mitigations.
He even called the exploit “Pwn2Own 2012-level tech,” implying that Mozilla’s browser, on which the Tor Browser is based, is about four years behind everyone else in security. He added that it would’ve been much harder to use an exploit like this against the Chrome and Edge browsers, which have better memory sandboxes and exploit mitigations than Firefox does.
Being so far behind the others in security could explain why Firefox wasn’t invited to the Pwn2Own contest this year. However, with Mozilla’s renewed focus on security and performance, it may be able to catch up to the other browsers in security soon.
The Electrolysis architecture should provide some sandboxing capabilities to Firefox over the next year, while the new code written in the memory-safe Rust programming language should limit the number of memory corruption bugs. However, Mozilla is definitely in a race against time, as its market share keeps dropping, to protect the reputation of Firefox as a secure browser before more such critical vulnerabilities appear.
If you're using Firefox or the Tor Browser, you should update immediately to the latest version.
