The zero-day vulnerability became known when an anonymous Tor browser user notified the Tor mailing list of the newly discovered exploit, and posted the exploit code on a Tor Project mailing list from a Sigaint.org email address. “This is a Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it’s getting access to “VirtualAlloc” in “kernel32.dll” and goes from there. Please fix ASAP. I had to break the “thecode” line in two in order to post, remove ‘ + ‘ in the middle to restore it,” the anonymous user wrote. The news was quickly confirmed by Roger Dingledine, co-founder of the Tor Project Team, who said that the Mozilla Firefox team had been notified, and they had “found the bug” and were “working on a patch.” The zero-day is a memory corruption vulnerability that could be exploited to execute malicious code on Windows Machines. While the attacks were basically used to target Tor users, the publication of the exploit code allows anyone to use it, potentially putting all Firefox users at risk from new attacks. The Tor Browser is based on a version of Firefox and the two often share common vulnerabilities. Even though a patch has been released, it is still recommended that Firefox users temporarily switch to an alternate browser such as Chrome or Safari whenever possible, or temporarily disable JavaScript on Firefox for as many sites as possible. However, it should be noted that the Tor Project advises against disabling JavaScript. While the exploit currently appears to only target Firefox on Windows, Dan Guido – CEO of Security firm Trail of Bits – noted on Twitter that macOS users of Firefox are also vulnerable.
