The news is disconcerting and confirms the existence of a zero-day exploit in the wild that’s being used by threat actors to de-anonymize Tor users by executing malicious code on their machine. The zero-day exploit targets Tor users and also other netizens using the Firefox browser.
Roger Dingledine, the notorious Tor co-founder, confirmed the zero-day and announced that the Mozilla security team is already working to fix it.
The zero-day is a memory corruption vulnerability that could be exploited to execute malicious code on Windows Machines.
The security researcher Raylee (@TheWack0lian) explained that the payload used in the recent wave of attacks is quite similar to the one used by law enforcement in 2013 to de-anonymize the users of a child pornography site hosted on Freedom Hosting.
“It’s basically almost EXACTLY the same as the payload used in 2013,” TheWack0lian told Ars. “It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed.”
The zero-day exploit code works on various versions of the Firefox browser, from 41 to 50, the code is able to target all these versions a circumstance that suggests that its authors have improved the malicious code across the time.
Waiting for a patch from Mozilla, users avoid relying on Tor to protect their anonymity.
(Security Affairs – Mozilla Firefox Zero-day, hacking)