Unsolved
This post is more than 5 years old
3 Apprentice
•
15.3K Posts
0
1073
Firefox 50.0.2 patches actively-attacked 0-day Javascript vulnerability
The following information was excerpted from http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/
and http://www.itnews.com.au/news/firefox-javascript-zero-day-under-active-exploit-443050?
A Javascript zero-day vulnerability affecting the Mozilla Firefox web browser is currently being actively exploited against The Onion Router (TOR) anonymising network users by unknown attackers.
The exploit causes memory corruption and executes attack code that would find a TOR user's real IP address and network adapter MAC identifier, and relay it back to a server in France.
A representative of Mozilla said officials are aware of the vulnerability and are working on a fix.
Until a patch is available, Firefox users should use an alternate browser whenever possible, or they should at the very least disable JavaScript on as many sites as possible. People should avoid relying on Tor in cases where deanonymizing attacks could pose a significant threat.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
November 30th, 2016 14:00
Firefox 50.0.2 has been released: ( https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/ ) ---
which indeed patches the vulnerability discussed above http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-active-attack/
Firefox SVG Animation Remote Code Execution
#CVE-2016-9079: Use-after-free in SVG Animation
Description
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.
References
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
November 30th, 2016 15:00
For those wondering, people running Mawarebytes Anti-EXPLOIT were already protected against this 0day.
https://blog.malwarebytes.com/threat-analysis/2016/11/tor-browser-zero-day-strikes-again/