Mozilla has released a new version of the browser that solves the zero-day vulnerabilities discovered yesterday. Upgrade to Firefox 50.0.2 will automatically be made in the next 24 hours, but users who have disabled the option in the settings can download the browser from the official website. Tor Project also distributed an update to the Tor Browser the main target of the exploit circulating on the Net.

Since the exploit code has been published on the Tor Project mailing list, anyone can place it inside a web page and find out the IP address which should be hidden from the Tor network. Indeed, the vulnerability has already been exploited to identify users who have visited a website containing child pornography. The administrator has closed the main site, but left the online chat site. It is likely that the attack was carried out by the FBI, but there is no confirmation to that effect. A similar exploits could be used to target legitimate sites, such as those frequented by political dissidents.

A Bugzilla user says that the bug is present in the Firefox code at least five years and not only from version 41, as assumed previously. Mozilla says that the zero-day vulnerability is exploited to execute arbitrary code on the target system, when the user opens a page containing JavaScript and SVG with Firefox or Tor Browser. An attacker can then find out the IP and MAC which will then be sent to a remote server addresses. The payload of the exploit only works on Windows, but the bug is also present on Linux and MacOS.

The new 6.0.7 version of the Tor Browser includes Firefox 45.5.1 ESR and NoScript 2.9.5.2, an extension that allows you to choose which sites can run JavaScript code in the browser.

SHARE

LEAVE A REPLY