MOZILLA rushed out a patch for a critical security flaw affecting Firefox 49 and 50 this week, just as a new exploit for an even bigger security flaw was uncovered that targets those using the browser with Tor.
The zero-day flaw exploits a heap overflow bug and enables malicious code to be run on targeted Windows PCs. Over on the official Tor website, the flaw was verified by Tor co-founder Roger Dingledine. It consists of one HTML and one CSS file.
Dingledine confirmed that Mozilla is already working on a patch to fix the flaws.
"It sounds like the immediate next step is that Mozilla finishes their patch for it; then the step after that is a quick Tor Browser update," he said. "And somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser."
According to security specialists, the payload of the exploit is almost identical to one used by the FBI in 2013 to de-anonymise and identify the IP addresses of people visiting a child-rape website.
"When I first noticed the old shellcode was so similar, I had to double check the dates to make sure I wasn't looking at a three-year-old post," suggested one security specialist.
Currently, the exploit code points to IP address 188.8.131.52, which is a server hosted by OVH in France, which makes it unlikely that the FBI (or any other US agency) is behind it.
Just days before this exploit was outed, Mozilla patched another critical flaw that enabled an attacker to take control of a targeted PC - and that came just two weeks after another major patch for the open-source web browser.
In an advisory published this week along with the patch, the Mozilla Foundation admitted that the flaw "can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them." µ
So that's why she's smiling…
How many Zuckbucks to the pound?
Alexa, is this exploitation?