Mozilla Firefox users, and more specifically, Tor users, update your browsers now! An emergency patch has been released to address a zero-day vulnerability that is already being exploited by hackers to unmask Tor Browser users.
The Tor Browser is used for anonymizing web activity and it is partially based on open-source Firefox code.
The critical security bug is reported to be a use-after-free vulnerability. This could allow a hacker to execute remote code by exploiting a flaw in how Firefox handles SVG animations through a poisoned link or website.
The attacker could then identify and forward the IP and MAC addresses to a command and control server. This exploit is said to be similar to the technique used by the FBI in 2013 to unmask anonymous visitors of a child pornography website.
However, the server of this current attack points to an IP located in France and it is unlikely that the FBI or another U.S.-based agency is behind it.
According to the Tor Project:
"The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect."
Firefox users should update to Firefox version 50.0.2, Firefox ESR 45.5.1, and additionally, Thunderbird 45.5.1, since it affects Mozilla's email client too. Firefox should automatically update itself to the newest version after a browser restart.
Emergency update 6.0.7 for the Tor Browser is likewise available for download so if you use this software regularly, please update as soon as you can.
To read the release details about the Tor Browser update 6.0.7, click here.
For Mozilla's security advisory about the emergency patch, visit this page.