A Firefox zero-day being used in the wild to target Tor users is using code that is nearly identical to what the FBI used in 2013 to unmask Tor-users.
A short time later, Roger Dingledine, co-founder of the Tor Project Team, confirmed that the Firefox team had been notified, had “found the bug” and were “working on a patch.” On Monday, Mozilla released a security update to close off a different critical vulnerability in Firefox.
Several researchers started analyzing the newly discovered zero-day code.
Dan Guido, CEO of TrailofBits, noted on Twitter, that “it’s a garden variety use-after-free, not a heap overflow” and it’s “not an advanced exploit.” He added that the vulnerability is also present on the Mac OS, “but the exploit does not include support for targeting any operating system but Windows.”
Security researcher Joshua Yabut told Ars Technica that the exploit code is “100% effective for remote code execution on Windows systems.”
“The shellcode used is almost exactly the shellcode of the 2013 one,” tweeted a security researcher going by TheWack0lian. He added, “When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn't looking at a 3-year-old post.”
He’s referring to the 2013 payload used by the FBI to deanonymize Tor-users visiting a child porn site. The attack allowed the FBI to tag Tor browser users who believed they were anonymous while visiting a “hidden” child porn site on Freedom Hosting; the exploit code forced the browser to send information such as MAC address, hostname and IP address to a third-party server with a public IP address; the feds could use that data to obtain users’ identities via their ISPs.
TheWack0lian also discovered that the malware was talking to a server assigned to French ISP OVH, but the server seemed to be down at the time.
That information prompted privacy advocate Christopher Soghoian to tweet, “The Tor malware calling home to a French IP address is puzzling though. I'd be surprised to see a US federal judge authorize that.”
Tor users should definitely keep an eye out for a security update. However, with the exploit code available for anyone to view and possibly tweak, it would be wise for all Firefox users to pay attention as the story develops. Some vulnerabilities in the Firefox version used for Tor are also found in Firefox, although at the moment it seems the zero-day is another spying tool aimed at the Tor browser.