The Mozilla Foundation says it’s working fast to patch a zero-day vulnerability in its Firefox web browser that allows third-parties to unmask the true IP address of those using the Tor Project’s anonymizing TorBrowser.
Security professionals say the zero-day vulnerability is actively being exploited by unknown actors.
The zero-day vulnerability, security experts point out, is nearly identical to a zero-day vulnerability created and executed by the FBI in 2013 as part of the agency’s efforts to identify users using the TorBrowser to share child pornography.
Roger Dingledine, Tor’s cofounder, quickly confirmed the zero day and said the Mozilla Foundation is working to patch the vulnerability.
The Tor Browser is partially built on open source Firefox code, but also includes proxy code that encrypts and anonymizes users’ sessions as they move about the Internet.
A Mozilla spokesperson issued a brief statement to Threatpost stating: “We have been made aware of the issue and are working on a fix. We will have more to say once the fix has been shipped.”
Technical details pertaining to the zero-day are scant and limited to a post to the Tor mailing list site with the short description:
“It consists of one HTML and one CSS file, both pasted below and also de-obscured.
The exact functionality is unknown but it’s getting access to ‘VirtualAlloc’ in ‘kernel32.dll’ and goes from there. Please fix ASAP.”
Security professionals that have conducted preliminary analysis of the zero-day note that the payload delivered by the vulnerability has uncanny similarity to a 2013 zero-day used by the FBI.
Similar to the 2013 FBI exploit, the Mozilla Firefox zero-day discovered Tuesday takes advantage of a memory corruption vulnerability allowing malicious code execution on Windows computers.
Impacted are versions of Firefox 41 through 50, according to the Tor-Talk post.
A security researcher by the Twitter handle @TheWack0lian posted a comparison of 2013 shellcode used by the FBI to the 2016 shellcode and commented on Twitter “The shellcode used is almost exactly the same of the 2013 one.”
The shellcode used is almost exactly the shellcode of the 2013 one https://t.co/6vuIzqp0rj
…except it builds sockaddr_in on the stack. https://t.co/pWsUe4uHiZ
— slipstream/RoL (@TheWack0lian) November 29, 2016
Dan Guido, security researcher and CEO of Trail of Bits, chimed in on Twitter Wednesday saying that “the vulnerability is also present on macOS, but the exploit does not include support for targeting any operating system but Windows.”
The vulnerability is present on macOS, but the exploit does not include support for targeting any operating system but Windows.
— Dan Guido (@dguido) November 30, 2016
The TorBrowser vulnerability revelation Tuesday dredges up issues surrounding the government’s stockpiling and use of zero day exploits.
In April, FBI Director James Comey revealed the agency paid an undisclosed third-party over a $1 million for a hacking tool that opened the iPhone 5c of the San Bernardino terrorist Syed Farook.
In May, Mozilla filed a motion with the U.S.
District Court in Tacoma, Wa., asking the government to disclose a vulnerability it exploited in the Tor Browser and Firefox in the 2013 case.
The FBI did not return inquiries for comment for this story.
The Tor malware calling home to a French IP address is puzzling though.
I’d be surprised to see a US federal judge authorize that. https://t.co/FiOPwRj0C7
— Christopher Soghoian (@csoghoian) November 29, 2016
Chris Soghoian, principal technologist with the American Civil Liberties Union, noted in a tweet that the zero-day malware discovered in the Tor on Wednesday is calling home to a French IP address, adding “I’d be surprised to see a US federal judge authorize that.”
This story will be updated as more information becomes available.