Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Mozilla and Tor Warn of Critical Firefox Vulnerability, Urge Users to Update

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,442
11,828



Mozilla and Tor have published browser updates to patch a critical Firefox vulnerability used to deanonymize users (via ArsTechnica).

Privacy tool Tor is based on the open-source Firefox browser developed by Mozilla, which received a copy of the previously unknown JavaScript-based attack code yesterday. Mozilla said in a blog post that the vulnerability had been fixed in a just-released version of Firefox for mainstream users.


The code execution flaw was reportedly already being exploited in the wild on Windows systems, but in an advisory published later on Wednesday, Tor officials warned that Mac users were vulnerable to the same hack.
"Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."
The exploit is capable of sending the user's IP and MAC address to an attacker-controlled server, and resembles "network investigative techniques" previously used by law-enforcement agencies to unmask Tor users, leading some in the developer community to speculate that the new exploit was developed by the FBI or another government agency and was somehow leaked. Mozilla security official Daniel Veditz stopped short of pointing the finger at the authorities, but underlined the perceived risks involved in attempts to sabotage online privacy.
"If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web."
The Firefox attack code first circulated on Tuesday on a Tor discussion list and was quickly confirmed as a zero-day exploit - the term given to vulnerabilities that are actively used in the wild before the developer has a patch in place.

The latest Tor update that fixes the vulnerability is version 6.0.7 and can be downloaded here.

Vanilla Firefox users can download the update to their browser manually from here.

Article Link: Mozilla and Tor Warn of Critical Firefox Vulnerability, Urge Users to Update
 

JosephAW

macrumors 68040
May 14, 2012
3,373
3,997
Mozilla, please make sure you update your ESR versions as well for those of us who are unable to run you latest release on perfectly good devices. This includes iOS users as well that can't run iOS 9 & 10. Thank you.
 
Comment

Kajje

macrumors 6502a
Dec 6, 2012
722
958
Asia
I've downloaded 50.0.1 this morning, now 50.0.2 is available.
To force upgrade: Open Menu Firefox, About Firefox, there's the update button.
And open the same menu again to restart Firefox.

*** Just going to Firefox.com might show that you've the latest version running, even if you're still on 50.0.1 But you're probably not running the latest version so use the above to upgrade.
 
Comment

69Mustang

macrumors 604
Jan 7, 2014
7,580
14,371
In between a rock and a hard place
So, which version should i be using to be protected? For both platforms? (Windows/Mac)?
"Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."

Both.
 
Comment

maflynn

Moderator
Staff member
May 3, 2009
67,177
34,302
Boston
People still use Mozilla? I thought most folks moved on to Chrome, or Safari.

For no other reason, then just because. I've migrated off of Mozilla, Safari seems decent enough
 
  • Like
Reactions: JGRE and ILikeAllOS
Comment

Rigby

macrumors 603
Aug 5, 2008
5,328
7,423
San Jose, CA
Mozilla, please make sure you update your ESR versions as well for those of us who are unable to run you latest release on perfectly good devices.
Firefox ESR 45.5.1 includes the security fix.
This includes iOS users as well that can't run iOS 9 & 10. Thank you.
I doubt the iOS version is affected, as it uses Apple's Webkit layout engine rather than Mozilla's Gecko (which is used in the desktop version).
 
Comment

RMo

macrumors 65816
Aug 7, 2007
1,220
215
Iowa, USA
Mozilla, please make sure you update your ESR versions as well for those of us who are unable to run you latest release on perfectly good devices.

"ESR" stands for "extended support release." What you're looking for is precisely why the ESR branch is labeled as such: they continue to provide security updates to it for the length of its support cycle, which is longer--i.e., extended--compared to that of the mainstream versions. As another noted, the latest release, 45.5.1, includes this fix, which is what you should expect to happen if the ESR branch is affected.

This includes iOS users as well that can't run iOS 9 & 10. Thank you.
It, in fact, does not--Apple doesn't let people publish apps that can execute arbitrary code on the device, so Firefox is basically a wrapper around the same engine Safari uses (and is Chrome and pretty much any other browser on iOS, though notably not Opera Mini, which gets around this by doing most of the work on Opera's servers). The iOS app is not affected since it is an issue with the JavaScript and SVG engines. However, even it were, old versions of Firefox on iOS are not considered "ESR," and Mozilla never promised to keep an old branch updated. (Such a practice is very rare, if not completely unheard of, for mobile apps in general.)

What's more interesting to me is the actual exploit details. Mozilla suggests that it might be an exploit intentionally created by the FBI or other government agency because it sounds similar to a technique they once used to de-anonymize Tor users. The exploit itself is a security concern regardless, however, because it allows the execution of an arbitrary payload.
 
  • Like
Reactions: JosephAW and mijail
Comment

Kajje

macrumors 6502a
Dec 6, 2012
722
958
Asia
People still use Mozilla? I thought most folks moved on to Chrome, or Safari.

For no other reason, then just because. I've migrated off of Mozilla, Safari seems decent enough
In many corporate environments, Firefox is - still - the browser of choice.

Some of them switched to Firefox around the time of Internet Explorer 6 (in the Windows 2000 / XP era) because IE6 was crap. When the new IE's came out they were improved, but not better than the current FF of that time.
Then many of these corporate networks allowed mixed OS'es and FF is something that worked on all of them.

Perhaps Chrome would have won the race if it came in earlier, but FF still did/does the job.
Changing browser company wide could be a serious endeavor with a significant risk applications don't run as they should. Having a multi-platform browser and ESR are important for these environments.

And that's one of the reasons why today people indeed still use Mozilla. I have been using FF since corporate forced me to do so about 10 years ago. Since then I also used it on my personal machines. And I cannot say I regret it. It never let me down since the first day and it became part of the family.

I honestly envy you for using Safari. I've tried a couple times to switch, but it doesn't feel good. Now I fire up Safari just to tune into the keynotes live streams. Chrome is started briefly to enter certain apps that are not compatible with FF nor Safari.

That being said I haven't installed Firefox on iOS. Strangly Safari feels good enough while doing the occasional browse on the road. As we spend more and more time inside the browser it becomes a very personal thing. Habits are difficult to change.
 
  • Like
Reactions: RuralJuror
Comment

Relentless Power

macrumors Nehalem
Jul 12, 2016
34,646
36,068
I've downloaded 50.0.1 this morning, now 50.0.2 is available.
To force upgrade: Open Menu Firefox, About Firefox, there's the update button.
And open the same menu again to restart Firefox.

*** Just going to Firefox.com might show that you've the latest version running, even if you're still on 50.0.1 But you're probably not running the latest version so use the above to upgrade.

Strange. I'm not seeing the upgrade. I will re-attempt from a different platform.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.