Possible Tor Browser de-cloak zero day dropped, patch in works

[Batu69]

Mozilla patch crew confirms a fix is on the way

A zero day Javascript exploit has emerged and, as it has the potential to de-cloak Tor Browser users, has sparked a flurry of patching activity.

Little detail of the problem has been revealed, as it surfaced a few hours ago on the Tor Project mailing list in a post from an anonymous user writing in from the Sigaint dark web email service. That post said the flaw is in active use against users of the Firefox-based TorBrower.

 

 

"This is an Javascript exploit actively used against TorBrowser now," the author wrote .

"It consists of one HTML and one CSS file, both pasted below and also de-obscured.

"The exact functionality is unknown but it's getting access to VirtualAlloc in kernel32.dll and goes from there."

 

The flaw which appears to leak users' MAC address and IP addresses to external servers was shipped to Mozilla's security team which has located the flaw and is working on a patch, Tor Project lead Roger Dingledine says.

 

"So it sounds like the immediate next step is that Mozilla finishes their patch for it then … a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," Dingledine says.

 

Early analysis suggests this problem has striking similarities to a separate exploit against the Tor Browser revealed in 2013, according to code comparision efforts.

We'll update this story as details come to hand.

 

Article source

 

Other source: Firefox 0day in the wild is being used to attack Tor users

[46&2]

Anyone who uses such things can get problems. I know things like java, javascript, flash etc make the web more "friendly". What one must remember is it also makes the web more dangerous. You have your ass hanging out, so to speak! I am a minimalist and lets just say "old school" and a bit paranoid. I am also safe and happy! :bag: