Tor browser is known for preserving the identity of its users and letting them use the web anonymously. However, the browser is not free from flaws and has had its fair share of vulnerabilities, which security researcher point out from time to time.
In the latest research, it was identified that the browser is not the one with any vulnerability but it is another browser Mozilla Firefox that is plagued with zero-day vulnerability. This zero-day vulnerability in Firefox is affecting Tor browser as malicious code is being executed through Firefox and impacting Tor.
Ars Technica reported that the issue was highlighted by a Tor user and it was also confirmed by the co-founder of Tor browser Mr. Roger Dingledine.
Dingledine stated that:
“I pointed some folks on IRC to this mail, and Daniel Veditz (Mozilla Security Team) said “the Firefox team was sent a copy of that this morning. We’ve found the bug being used and are working on a patch.”
He further noted that when Firefox patch is released, which is due to be issued very soon, Tor browser patch will also be available.
According to security researchers, the malicious code exploits a “memory corruption vulnerability” which lets the malicious code to be executed on Windows based computers.
It must be noted that the same issue occurred back in 2013 when the Federal Bureau of Investigation (FBI) utilized the same strategy to identify some of the Tor users.
Firefox’s vulnerability is affecting Tor browser because the latter is based on the extended support release of the former.
Mozilla issued the following statement in response to the report from Tor and Ars Technica:
Through this exploit, the attacker can easily obtain IP, hostname and Mac addresses of the victim and send them to a remote server (220.127.116.11). The status of this server is down at the moment.
The identified zero-day vulnerability is easily thwarted by moving the security slider to High by checking into the Tor browser’s Privacy and Security Settings menu.