Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch zero-day vuln

JavaScript smuggles malicious payload into PCs

Updated Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users.

Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address. Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor.

Tor Browser is a repackaged version of Firefox that runs connections through the anonymizing Tor network; it's supposed to hide your public IP address, and the exploit is designed to leak that potentially identifying information to persons unknown.

The exploit was posted by an anonymous user of the Sigaint dark web email service. That mailing list message said the flaw is being used right now against Tor Browser folks.

"This is a JavaScript exploit actively used against Tor Browser now," the author wrote.

"It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it's getting access to VirtualAlloc in kernel32.dll and goes from there."

The exploit was lobbed at Mozilla's security team, which has studied the code and located the programming bug attacked by the JavaScript and SVG. It is working on a patch, Tor Project lead Roger Dingledine said.

"So it sounds like the immediate next step is that Mozilla finishes their patch for it then … a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," Dingledine noted.

Early analysis reveals the payload has striking similarities to a separate Tor Browser spying tool that emerged in 2013. According to reverse-engineering efforts, it appears once this latest x86 code injected by the JavaScript is running within the browser, it phones home to on port 80 and sends over the machine's information.

Whatever was behind that IP address is no longer responding to connections; it appears to have belonged to an OVH-hosted virtual machine. The 2013 payload was used by the FBI to decloak Tor-protected suspected criminals. ®

Updated to add

Tor Browser 6.0.7, Firefox 50.0.2 and Firefox 45.5.1esr have been released to fix the exploited vulnerability. ®

Similar topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022