Firefox and Tor release critical 0-day patch originating in FBI code

The security world woke up Tuesday, November 29 to alarming reports of a 0-day vulnerability affecting Firefox and the anonymous browser Tor. The news first broke when an anonymous admin of the getting access to VirtualAlloc in kernel32.dll." In plain English, when a Windows machine used Firefox or Tor with Javascript enabled, the 0-day exploit allowed malicious code to be run at any time due to a memory corruption vulnerability.

As the news began to spread about this dangerous exploit, security researchers began to notice similarities in the code to another exploit that the FBI utilized. One such security professional gave his analysis via Tweets, which are screen capped below:

The 2013 FBI code was able to decrypt user identities who visited child porn sites via Tor. It would then transmit non-proxy IP addresses, MAC addresses, and other data to a main server in an attempt to apprehend the criminals. While there has been no confirmation as to whether or not the FBI is involved in this new 0-day, it would not surprise me if that was the case. It is not uncommon knowledge that the authorities use cyber solutions that not only help catch dangerous people, but also open up normal citizens to dangerous hacks (see: the iPhone San Bernardino incident). Even if the FBI is not involved in this new exploit; its code was still used to create a dangerous and potentially catastrophic cyber incident.

I say "potentially" because, thanks to the due diligence of researchers and coders, patches have been released by both Firefox and Tor. As Tor pointed out in their patch notes, the security flaw has been utilized already by some malicious hackers, but the damage was not as great as it could have been.

This incident teaches us is that when it comes to cyber crime and cyber security, a set of standards must be adhered to. There are rules of engagement in war, and now that the FBI is playing with fire via exploits, there needs to be an updated rules of engagement in fighting the cyber war. Security experts want criminals brought to justice, but we also don't want the rights of regular citizens compromised in the process.

Photo credit: wordfence, @TheWack0lian, Cliff

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Apple Event 2019: Everything you need to know about the new iPhone 11

Apple has just unveiled three new iPhones — iPhone 11, iPhone 11 Pro, and iPhone Pro Max. Here is everything…

13 hours ago

Review: CoreView CoreAdmin for Microsoft Office 365

CoreView simplifies the challenging management of Microsoft Office 365 by creating its own management interface. Here’s our review.

16 hours ago

Exchange 2019: Should you update now or wait a little longer?

Exchange 2019 is out there glittering like a shiny new toy. But should you take the plunge and update now?…

19 hours ago

Privacy-by-design principles: Getting it right from the start

Embedding privacy-by-design principles in the building and design of a business, website, application, product, or tool is a good thing…

1 day ago

Check mailbox auditing status in Exchange Online with PowerShell

Office 365 Exchange Online admins must ensure all mailboxes created in Office 365 have auditing enabled. Here’s how to check…

2 days ago

T-Suite Podcast: Creative destruction — Proper IT asset liquidation

If you plan to liquidate your IT assets, it is critical you have a chain of custody for every device…

2 days ago