--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Firefox Vulnerability' version: '1.1' number: '2016-142' fontsize: '11pt' --- _History:_ * _30/11/2016 --- v1.0 -- Initial publication_ * _01/12/2016 --- v1.1 -- Patches released by Mozilla and Tor Project_ # Summary On 29th of November 2016, a JavaScript code exploiting a vulnerability in Firefox has been discovered. The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code [5]. While the disclosed payload would only work on Windows, the vulnerability exists on Mac OS and Linux as well. The vulnerability also impacts Mozilla Thunderbird. Additionally, as the Tor Browser is based on Firefox engine, it is also vulnerable to the same vulnerability. A patch from Mozilla has been issued on 30th of November 2016 [4,5]. Since the code of the exploit is public, and it is actively being used, updating Firefox and Thunderbird -- as well as the Tor Browser -- is highly recommended. # Technical Details On 29th of November 2016, on Tor Project forum, users started complaining that a Javascript exploit was actively used against Tor Browser [1]. An independent researcher noticed that the exploit is almost identical to one used in 2013 to de-anonymize Tor Browser users [2]. The exploit requires JavaScript to be enabled. The JavaScript code disclosed on the forum is exploiting a heap overflow bug, a type of buffer overflow that occurs in the heap data area. The code adjusts the memory location of the payload based on the version of Firefox being exploited and makes direct calls to `kernel32.dll`, a core part of any Windows operating system, allowing remote code execution on the target [3]. On 30th of November 2016, Mozilla provided a patch and technical details on the vulnerability [4,5]. The bug is a use-after-free vulnerability in SVG animation processing. # Vulnerable Systems * Firefox browser from 41 and prior to 50.0.2 [4] * Thunderbird mail clients prior to 45.5.1 [4] * Tor Browser prior to 6.0.7 [6] # Recommendation Update Mozilla Firefox to a version 50.0.2, Mozilla Thunderbird to version 45.5.1 and TorBrowser to version 6.0.7. A workaround is to deactivate JavaScript on affected versions. To deactivate JavaScript on Firefox browser: * go to the address bar, type `about:config` and press enter; * locate `javascript.enabled` and double-click on the `value` parameter to set it as `false`. # References [1] Tor Project --- [2] Twitter --- [3] ArsTechnica --- [http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013 /](http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/) [4] Mozilla --- [5] Mozilla Blog --- [6] Tor Project ---