The Complete Magazine on Open Source

Mozilla fixes Firefox zero-day through latest update

SHARE
/ 2128 0

Firefox zero-day vulnerability

Mozilla has pushed a new update to patch the infamous Firefox zero-day. Developers at the Mozilla Foundation have also updated Tor browser to address the security issue that was unmasking private browsing experience.

Dubbed “a use-after-free vulnerability”, the issue had first emerged on Firefox earlier this week. It allowed attackers to execute arbitrary code on a target system using malicious JavaScript and SVG (scalable animation vector graphics) snippet on a webpage.

Soon after its debut on Firefox, the vulnerability was posted to a public Tor Project mailing list. It appeared to be developed by a law enforcement agency.

“The exploit, in this case, works in essentially the same way as the ‘network investigative technique’ used by FBI to deanonymise Tor users. This similarity has led to speculation that this exploit was created by FBI or another law enforcement agency,” Mozilla security official Daniel Veditz wrote in a blog post.

The security hole was enabling attackers to send the target’s IP and MAC address to their central servers.

Veditz confirmed that Mozilla fixed the vulnerability in Firefox 50.0.2, Firefox ESR 45.5.1 and Thunderbird 45.5.1. The Tor Project, which is maintained by Firefox’s Mozilla Foundation, has also published the version 6.0.7 to address the issue. The Tor update includes an upgrade for NoScript, which works as a Firefox extension to customise JavaScript execution on the browser.