Categories: Firefox Press

Investigating Security Vulnerability Report

Update – August 5, 2013

Issue
Mozilla was notified on August 4, 2013 of a potential security vulnerability with Firefox 17 (current general release is Firefox 22). Upon investigation we confirmed the vulnerability and determined the root of the issue was related to MFSA 2013-53. This vulnerability was fixed in Firefox versions 17.0.7 and 22, which were released on June 25, 2013.

Impact
Users who are on the latest version of Firefox (version 22) or Firefox ESR (version 17.0.7) are not at risk. If a user is running an outdated version of Firefox, then this vulnerability could be used by an attacker to execute malicious software on a victim’s machine. Mozilla has been alerted that this issue is being actively exploited in the wild and urges all users to make sure their Firefox is up to date.

Status
This vulnerability was fixed in Firefox versions 17.0.7 and 22, which were released on June 25, 2013. Firefox users should follow these instructions to confirm they are running the latest version of Firefox (currently version 22 and 17.0.7 for ESR) which contains the fixes for this vulnerability.

Original Post

Mozilla has been notified of a potential security vulnerability in Firefox 17. Firefox 17 is currently the extended support release version.

We are actively investigating this information and we will provide additional information when it becomes available.

 

Michael Coates
Director of Security Assurance

8 comments on “Investigating Security Vulnerability Report”

  1. Daniel Veditz wrote on

    The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53

    People who are on the latest supported versions of Firefox are not at risk.

    Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.

    1. Tom wrote on

      Is it known what was contained in the content_1.html payload? The one loaded into the iframe in ESR versions < 17, and are these versions immune to the exploit? Maybe we're missing something else, contained in that page.

  2. Neal wrote on

    Really need to harden Firefox more. I expected Zero day attacks by the feds to be for more selective high level secretive espionage purposes, however the fact that they used it to bust up a child porn ring ( as horrific as it is) makes it seems that zero days in Firefox aren’t as hard to come by as I thought.

    It would ideal for most Firefox people to updated to the latest all the time, however I don’t know if even a majority are updated to the latest according the analytics sites like statcounter and netapplications.

    1. Daniel Veditz wrote on

      This wasn’t a “zero day” attack, it was an exploit based on a security advisory from 6 weeks ago. The number of users vulnerable to this (those who aren’t up to date) is dropping fast so the exploit is losing most of its value anyway.

      1. Baneki Privacy Labs ( wrote on

        Is there any way to confirm that this FBI malware hasn’t been used prior to the 25 June public disclosure of the memory bug being exploited? Just because we’re seeing this latest Tor exploit today doesn’t mean it’s not been used previously – or does it? Are we all so confident that we’d know if this exploit was being used, say, 3 months ago in a more selective manner… but nobody noticed?

        This “became” a 0day on 25 June – when the FBI knew about it is still, ontologically, an open question.

      2. Christopher wrote on

        Agreed, Daniel. It also appears that the attack was specifically aimed at people using the Alpha Version of Tor Browser Bundles “No Vidalia needed” version that came out before the latest.

        It seems…. weird, at the very least, that they would target something that only a small number of TOR users would be using to test.

  3. AnonyÓðinn ( wrote on

    Not sure if this has been finished yet, but some time back there was this effort to bulk up ECC / keys and deal with hidden services problems and address other Tor issues. Has that been done yet? If not, is the issue / problem related to a need for more volunteers, more donations, something else entirely?
    see https://blog.torproject.org/comment/reply/698/23486
    and https://blog.torproject.org/blog/hidden-services-need-some-love (Extensive Discussion)
    and https://blog.torproject.org/blog/prism-vs-tor (More Extensive Discussion)

    And, re. TBB updates, fixes, etc… is this also happening for Tails?

    And, I’m curious if Tor will ever be developed into something like an extension for Chrome, for example. Will it ever be made available in a way such that it can be incorporated directly into browser x, y, or z (any browser) as a button that you would click on in your browser, and right then, you are connecting to the tor network?
    Because (assuming the security issues are addressed) I think that would be a really neat feature. Just saying.

    Also, my vote is to keep the javascript bit out of the subsequent tor updates / releases. That kind of stuff should all be off by default.

    Things running through my head: metadata, traffic analysis, tor, darknets, meshnets/ tor over meshnet, etc, etc

  4. Steven C. wrote on

    IIRC this particular vulnerabiliy existed way back since the FF 3.x series, so it could potentially affect many people not using the latest supported versions. But it would be easily avoided by disabling JavaScript and/or using the NoScript add-on very strictly.