{"id":2148,"date":"2016-11-30T13:50:32","date_gmt":"2016-11-30T21:50:32","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2148"},"modified":"2016-11-30T15:35:24","modified_gmt":"2016-11-30T23:35:24","slug":"fixing-an-svg-animation-vulnerability","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/","title":{"rendered":"Fixing an SVG Animation Vulnerability"},"content":{"rendered":"<p>At roughly 1:30pm Pacific time on November 30th, Mozilla released an update to Firefox containing a fix for a vulnerability reported as being actively used to deanonymize Tor Browser users. \u00a0Existing copies of Firefox should update automatically over the next 24 hours; users may also <a href=\"https:\/\/www.mozilla.org\/en-US\/firefox\/new\/\">download the updated version manually<\/a>.<\/p>\n<p>Early on Tuesday, November 29th, Mozilla was provided with code for an exploit using a previously unknown <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2016-92\/\">vulnerability in Firefox<\/a>. \u00a0The exploit was later posted to a public Tor Project mailing list by another individual. \u00a0The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code. \u00a0It used this capability to collect the IP and MAC address of the targeted system and report them back to a central server. \u00a0While the payload of the exploit would only work on Windows, the vulnerability exists on Mac OS and Linux as well. \u00a0Further details about the vulnerability and our fix will be released according to <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/bugs\/\">our disclosure policy<\/a>.<\/p>\n<p>The exploit in this case works in essentially the same way as the \u201cnetwork investigative technique\u201d used by FBI to deanonymize Tor users (as FBI described it in <a href=\"https:\/\/regmedia.co.uk\/2016\/03\/29\/alfin.pdf\">an affidavit<\/a>). \u00a0This similarity has led to speculation that this exploit was created by FBI or another law enforcement agency. \u00a0As of now, we do not know whether this is the case. \u00a0If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At roughly 1:30pm Pacific time on November 30th, Mozilla released an update to Firefox containing a fix for a vulnerability reported as being actively used to deanonymize Tor Browser users. &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/\">Read more<\/a><\/p>\n","protected":false},"author":142,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[45545],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Fixing an SVG Animation Vulnerability - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daniel Veditz\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/\",\"name\":\"Fixing an SVG Animation Vulnerability - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2016-11-30T21:50:32+00:00\",\"dateModified\":\"2016-11-30T23:35:24+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/04ad4267d6173c50c6a250887082f088\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Fixing an SVG Animation Vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/04ad4267d6173c50c6a250887082f088\",\"name\":\"Daniel Veditz\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/f91fc8d11d145a8be6d59ec3e71ac970\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/da6b54ad3fdb36ba7656df9adfe65d12?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/da6b54ad3fdb36ba7656df9adfe65d12?s=96&d=identicon&r=g\",\"caption\":\"Daniel Veditz\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fixing an SVG Animation Vulnerability - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/","twitter_misc":{"Written by":"Daniel Veditz","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/","url":"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/","name":"Fixing an SVG Animation Vulnerability - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2016-11-30T21:50:32+00:00","dateModified":"2016-11-30T23:35:24+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/04ad4267d6173c50c6a250887082f088"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2016\/11\/30\/fixing-an-svg-animation-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Fixing an SVG Animation Vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/04ad4267d6173c50c6a250887082f088","name":"Daniel Veditz","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/f91fc8d11d145a8be6d59ec3e71ac970","url":"https:\/\/secure.gravatar.com\/avatar\/da6b54ad3fdb36ba7656df9adfe65d12?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/da6b54ad3fdb36ba7656df9adfe65d12?s=96&d=identicon&r=g","caption":"Daniel Veditz"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2148"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/142"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2148"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2148\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2148"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}