Mozilla and Tor rolled out critical patches to their browsers yesterday to block a live attack that is specifically aimed to unmask users of the Firefox-based Tor Anonymity network.
A Tor official issued an announcement saying that the security flaw is found to be active on Windows systems, though no indications have been found exploiting the same on OS X and Linux platforms, the underlying bug still makes the system vulnerable and advised users to update their Tor Browsers immediately as well, Arstechnica reported.
Reacting to the discovery, Mozilla security official Daniel Veditz said the vulnerability has been fixed in the immediate release of a Firefox update for mainstream users. Veditz said they received a copy of the attack code that targeted a previously unknown vulnerability in Firefox. The attack collects real IP and MAC addresses of Windows systems and sends it to a central server, Veditz said.
They found that the attack code is similar to that used by the FBI in 2013 to unmask Tor-protected users and track down those who are engaged in trading child pornography. Veditz wrote in his blog that the uncanny similarity of the code suggests that the exploit was created by the FBI or another law enforcement agency, however, he added that they are not sure whether this is the case.
The Tor browser update also contained an update to the NoScript JavaScript blocker. Traditionally, Tor's NoScript allowed all sites to execute JavaScript in its browser as policy. The resulting update provides no information what effects it now has on its policy after rolling out the new NoScript update.
A 2015 investigation revealed that the FBI used the same method to identify users of a pedophile site Playpen. The judge presiding over the case ordered the agency to detail how it hacked a defendant's computer. A Judge in a related case revealed in a court filing that the FBI had used a "non-publicly-known vulnerability" to hack into suspected individuals on Tor, Motherboard reported.
Veditz stated that this latest incident if it does involve the government clearly, illustrates a problem with law enforcement using zero-day exploits. He stresses that now that it has been published and used by anyone to attack Firefox users demonstrate government's limited hacking can become a threat to the broader web.