Highlighted
7 Gold

Firefox 50.0.2 patches actively-attacked 0-day Javascript vulnerability

The following information was excerpted from http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-...

and http://www.itnews.com.au/news/firefox-javascript-zero-day-under-active-exploit-443050?

A Javascript zero-day vulnerability affecting the Mozilla Firefox web browser is currently being actively exploited against The Onion Router (TOR) anonymising network users by unknown attackers.

The exploit causes memory corruption and executes attack code that would find a TOR user's real IP address and network adapter MAC identifier, and relay it back to a server in France.

A representative of Mozilla said officials are aware of the vulnerability and are working on a fix.

Until a patch is available, Firefox users should use an alternate browser whenever possible, or they should at the very least disable JavaScript on as many sites as possible. People should avoid relying on Tor in cases where deanonymizing attacks could pose a significant threat.

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 18.7.4, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos
2 Replies
Highlighted
7 Gold

RE: Unpatched 0-day Javascript vulnerability under attack in Firefox

Firefox 50.0.2 has been released: ( https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/  ) ---

which indeed patches the vulnerability discussed above http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-acti...

Firefox SVG Animation Remote Code Execution

Announced
November 30, 2016
Products
Firefox, Firefox ESR, Thunderbird
Fixed in
  • Firefox 50.0.2
  • Firefox ESR 45.5.1
  • Thunderbird 45.5.1

#CVE-2016-9079: Use-after-free in SVG Animation

Reporter
Obscured Team
Impact
critical
Description

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.

References

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 18.7.4, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos
Highlighted
7 Gold

RE: PATCHED! 0-day Javascript vulnerability under attack in Firefox

For those wondering, people running Mawarebytes Anti-EXPLOIT were already protected against this 0day.

https://blog.malwarebytes.com/threat-analysis/2016/11/tor-browser-zero-day-strikes-again/

Free Internet Security - WOT Web of Trust       Use OpenDNS       MalwareBytes Anti-Malware


Windows 10 Pro (64-bit), Panda DOME 18.7.4, MBAM3 Pro, Windows Firewall, OpenDNS Family Shield, SpywareBlaster, MVPS HOSTS file, MBAE Premium, MCShield, WinPatrol PLUS, SAS (on-demand scanner), Zemana AntiLogger Free, Microsoft EDGE, Firefox, Pale Moon, uBlock Origin, CryptoPrevent.


[I believe computer-users who sandbox (Sandboxie) are acting prudently.]

0 Kudos