Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Emergency Bulletin: Firefox 0 day in the wild. What to do.

This entry was posted in General Security on November 30, 2016 by Mark Maunder   77 Replies

Update at 2:32pm PST / 5:32pm EST: Firefox released a fix for this a few minutes ago. Update to Firefox 50.0.2 now to patch this vulnerability. Tor have also released a fix with version 6.0.7 of their browser.There is also a Thunderbird fix out, version 45.5.1. I also posted an extended update at the end of the post including data indicating this exploit may be part of a law enforcement operation.

/End Update.

We’re publishing this as an emergency bulletin for our customers and the larger web community. A few hours ago a zero day vulnerability emerged in the Tor browser bundle and the Firefox web browser. Currently it exploits Windows systems with a high success rate and affects Firefox versions 41 to 50 and the current version of the Tor Browser Bundle which contains Firefox 45  ESR.

If you use Firefox, we recommend you temporarily switch browsers to Chrome, Safari or a non-firefox based browser that is secure until the Firefox dev team can release an update. The vulnerability allows an attacker to execute code on your Windows workstation. The exploit is in the wild, meaning it’s now public and every hacker on the planet has access to it. There is no fix at the time of this writing.

Currently this exploit causes a workstation report back to an IP address based at OVH in France. But this code can likely be repurposed to infect workstations with malware or ransomware. The exploit code is now public knowledge so we expect new variants of this attack to emerge rapidly.

This is a watering hole attack, meaning that a victim has to visit a website that contains this exploit code to be attacked. So our forensic team is keeping an eye on compromised WordPress websites and we expect to see this code show up on a few of them during the next few days. An attackers goal would be to compromise workstations of visitors to WordPress websites that have been hacked.

How this unfolded

On Tuesday just after noon Pacific time, someone published a 0 day exploit for Firefox and Tor to the tor browser mailing list.

Original post

Since then researcher Dan Guido posted a series of tweets with some analysis of the exploit itself.

Dan Guido Tweets

Twitter user @TheWack0lian noticed the shellcode (code that executes on your Windows workstation once exploited) is very similar to shellcode likely used by the FBI back in 2013 to deanonymize visitors to child porn websites hosted by FreedomHosting. The FBI confirmed that they compromised that server and days later it was serving malware that would infect site visitor workstations. The code then reported site visitor real IP addresses, MAC addresses (network card hardware address) and windows computer name to a central server. This code is very similar.

Tweets

What we found

The shell code in this attack calls back to IP address 5.39.27.226, which was a web server hosted at OVH in France. The site is now down. Our own research shows that if you look up this IP address in Shodan, it had an SSL certificate that is a wildcard for the energycdn.com domain name. That site for energycdn is simplistic and according to archive.org, it has not changed since 2014.

Googling energycdn.com shows that the domain is used frequently to host pirated content. Norton Safe Web reports it hosts viruses. Google Safe Browsing transparency report says the domain hosts malware and redirects to malicious sites.

One could speculate that the server at 5.39.27.226 was used by energycdn.com as one of their servers to host pirated content. Perhaps the server was compromised by whoever controls energycdn to host that content and then was reinfected by the perpetrator of this new malware variant. But we’re speculating.

Additional press coverage

Update at 2:03pm PST / 5:03PM EST on Wednesday:

Vice’s Motherboard have provided an update 2 hours ago on this issue from a few sources.  Here’s the summary and some context:

Remember, this attack targeted Tor users specifically and the goal of the attack was to reveal the identity of the browser operator. It is also very similar to a 2013 attack that was likely launched on child porn website visitors by the FBI to identify and arrest them. The fact that this exploit simply tries to reveal a user’s identity rather than infect them with malware indicates it is being perpetrated by a law enforcement branch in some country.

Vice is now reporting that their sources are saying this exploit is active on a child porn website called The GiftBox Exchange. There are also warnings on the Dark Web about the presence of this malware. In my opinion this strongly indicates that this exploit is in fact the FBI or another agency targeting visitors of The GiftBox Exchange.

Vice has reached out to FBI and Europol. FBI declined to comment and Europol did not respond.

My guess is that you will hear about this again a few months from now when the indictments start to emerge. If that is the case, and it is confirmed this is an FBI operation, this would make it clear that using 0 day vulnerabilities to actively exploit browsers for surveillance is the new modus operandi of the FBI. This technique was used in 2013 to target visitors of websites on FreedomHosting. It was used again to target and indict visitors of Playpen in 2015. And this technique is being used again today.

Firefox have now released a fix with version 50.0.2.

Tor released an update to their browser today that fixes this vulnerability.

Thunderbird have also released a security fix related to this.

You can find the actual Firefox vulnerability report here.

 

Did you enjoy this post? Share it!


3.00 (1 vote) Your rating:

77 Comments on "Emergency Bulletin: Firefox 0 day in the wild. What to do."

Jeremy Weston November 30, 2016 at 2:17 am • Reply

thanks for the quick update wf! Shared this with MTT users!

Jeremy Weston November 30, 2016 at 2:18 am • Reply

I meant to type "my users".

Colleen November 30, 2016 at 2:35 am • Reply

Thank you WF! Have shared and stopped using FF immediately. Where/how do you suggest we keep track of happenings and when it would be safe to return to FF?

Thanks again - you guys rock!

Stefan November 30, 2016 at 2:35 am • Reply

Time to close down Firefox then!

Stefan November 30, 2016 at 2:37 am • Reply

BTW, please send a email when Firefox fixed this!

wao thanks, shared with my members. November 30, 2016 at 2:37 am • Reply

Woa. thanks for the info. I Have this with my clients and members.

Paul Irvine November 30, 2016 at 2:49 am • Reply

5 stars to WordFence for this unprecedented update.

I've alerted my clients and fb following about this.

Thanks again for all you do,
Paul.

Julio November 30, 2016 at 2:52 am • Reply

Thank you for the heads up I'm going to share it on my blog.

Laxmikant S Bhumkar November 30, 2016 at 2:54 am • Reply

The vulnerability, CVE-2016-9078, only affects Firefox 49 and 50 and was patched in version 50.0.1. So just upgrade the Firefox.

Andrew Yager November 30, 2016 at 4:05 am • Reply

This CVE is not the same, and not what is patched in FF 50.0.1.

I'm told that the exploit is not patched, but also not executable in its current form in FF (ToR uses older Firefox base code), and that it is not currently clear if it could be modified for an attack at this stage. I'd be waiting until it is patched.

Kabolobari Benakole November 30, 2016 at 2:55 am • Reply

How has Firefox responded to this?

xping November 30, 2016 at 3:03 am • Reply

sni98251.cloudflaressl.com
*.classian.com.br
*.energycdn.com
*.freeway.bz
*.gocloudmine.com
*.gocloudmine.net
*.khakukha.ru
*.longwoodmiddlepta.com
*.louisvuittonbnshopjpn.pw
*.mitati.cf
*.myfastfile.com
*.premiumize.me
*.radicallandscaping.co.za
*.reneautodismantling.com
*.residencial-pao-deacucar.com
*.steadyserv.com
*.stitchandpieces.com
*.vtchaplain.org
*.yarralearidingponies.com

mark November 30, 2016 at 9:26 am • Reply

Thanks.

These are the other valid domains on the multi-domain certificate for energycdn.com (proxied from CloudFlare). It's not the same certificate as the one from `5.39.27.226`, so I'm not sure how it's relevant or useful.

Mark.

Keith Taylor November 30, 2016 at 3:05 am • Reply

An aside that won't help with this, but will reduce the crap that hits your server. Restrict access from the OVH network. I do it with Cloudflare Capcha on AS16276

Touda November 30, 2016 at 3:05 am • Reply

Thanks for the warning!

But we have a question: Is it safe to use Seamonkey? It's Netscape based, but not Firefox, as we understand...

Sean November 30, 2016 at 3:10 am • Reply

Does this affect all instances of Firefox? How about FF for Mac or iOS? My main/daily browser is Safari on a Mac, so I take it there is nothing for me to worry about right now?

Andrew November 30, 2016 at 4:03 am • Reply

FF for iOS uses Webkit, and so won't be affected.

Tad November 30, 2016 at 3:24 am • Reply

Linux users are safe?

Ambrish November 30, 2016 at 3:36 am • Reply

Firefox released version 50.0.1. with some security patches

https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/

Is this the same issue you were taking about

mark November 30, 2016 at 9:27 am • Reply

No it's not. This is dated November 28th and at this point the FF team didn't know about the 0day. It only emerged yesterday, Nov 29th.

Dave November 30, 2016 at 3:33 am • Reply

Hi Guys,
thanks for the heads up, glad I switched to Linux Mint about 6 month ago now, have shared this with my contacts though.
Cheers
Dave

Andra November 30, 2016 at 3:34 am • Reply

Thank you!

Ambrish November 30, 2016 at 3:36 am • Reply

Firefox released version 50.0.1. with some security patches

https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/

Is this the same issue you were taking about

Andrew Yager November 30, 2016 at 4:06 am • Reply

This is not the same exploit that has been patched in 50.0.1.

Ambrish November 30, 2016 at 4:27 am • Reply

Thanks for the reply Andrew. Waiting to get it fixed soon by Firefox developers

MARIANGELES November 30, 2016 at 3:48 am • Reply

Thanks a lot for your effort from Spain.

Rade November 30, 2016 at 3:50 am • Reply

Firefox just did a update when I started. Does this fix the problem?

Adi November 30, 2016 at 4:00 am • Reply

That's why WordFence is awesome. I really appreciate your warning mails and good explanations.

Paul Dunstan November 30, 2016 at 4:33 am • Reply

Thanks for this. How will we know when this vulnerability is fixed?

Also - is this the same as the vulnerability in the Tor browser exploited by the FBI back in May - which had the court case over it? In which case... is this new?

Markus Pirchner November 30, 2016 at 5:02 am • Reply

Hi,

does anybody know if this 0 day vulnerability affects FF Developer Edition (current version being 52.0a2) as well?

Agus Supriyadi November 30, 2016 at 5:15 am • Reply

Thanks for the information.

Pete Belfast November 30, 2016 at 5:32 am • Reply

Great work guys.

Thank you.

Harry Gils November 30, 2016 at 5:40 am • Reply

Thanks for the security update Wordfence and all the security information. I'm learning a lot just following your blog.

Matt November 30, 2016 at 5:41 am • Reply

Thanks God I'm using Chrome and Mac :) Anyway thank you for notifing!

Elizabeth Kricfalusi November 30, 2016 at 5:48 am • Reply

Why is this getting so little press coverage? I've only found two other articles about it and it doesn't seem to be mention on the Mozilla or Firefox sites.

I would also like to know how to be notified when the patch is released.

Jay November 30, 2016 at 6:00 am • Reply

So the Tor browser part of this, is that an add that you'd have to download or is it what FF is built on? (like webkit for Safari)

Ilse November 30, 2016 at 6:23 am • Reply

Maybe you can keep us up-to-date through Twitter? This post isn't mentioned on your twitter, btw.
Thanks for the newsletter update! Thanks to that I know now :)
I've posted it on Twitter and send it to a few people. Hopefully it gets solved soon. Firefox has always been my go to browser.

Debbra Brouillette November 30, 2016 at 6:55 am • Reply

So just to confirm, if I am on a Mac, I can use Firefox without a problem?

Yawner November 30, 2016 at 7:02 am • Reply

So, a person has to be using Firefox and Tor, on a workstation, and go to a an infected (watering hole) website before there would be any problem? Further it only affects two out of 50 something versions of Firefox? I'm not exactly experiencing panic.

baddronepilot November 30, 2016 at 7:54 am • Reply

I see Firefox Versions 41-50 and all ESR flavors in digging deeper. Tor users were affected because it's bundled with ESR 45.4. Not quite a yawn situation.

Kyle November 30, 2016 at 8:02 am • Reply

I think you misunderstood. It affects Firefox versions 41 through 50. It also affects recent versions of the TOR bundle, which apparently uses some code from Firefox 45. So you don't have to be usinfound both TOR and Firefox simultaneously. The "watering holes" may or may not be an issue depending on your browsing habits, but the number of infected sites is probably growing rapidly... and just remember when you visit 1 site you may be pulling content from many others as well :)

eitsnm November 30, 2016 at 7:12 am • Reply

Thank you! I've shared it.

Jeremy November 30, 2016 at 7:50 am • Reply

Thanks for this alert. Passing it on. Fyi, I have blocked several attempted brute force attacks coming from OVH based ip addresses.

Tom November 30, 2016 at 7:59 am • Reply

Firefox 50 uses sandboxing so this is not a big threat.

Roberto November 30, 2016 at 8:17 am • Reply

Who the heck still uses firefox? lol All these old school folks. Thanks anyway.

Netz0 Jim November 30, 2016 at 9:16 am • Reply

I think some people are confused about what the article is saying. Its not only affecting TOR editions of Firefox.

Its affecting all editions of Firefox, regardless if you are running Windows or Linux or anything else and no, Firefox has no sand boxing, that is false, they just recently started to add sand boxing only to a few process (not security sand boxing but for resources) and only 1% of Firefox users are using that version today, if you have plugins, you don't have that enabled in Firefox 50. If the exploit is in the wild it means it can be exploited, regardless if you have or not a sand boxed browser.

This also includes the developer edition.

Mihanentalpo November 30, 2016 at 9:18 am • Reply

If I understood correct, only windows systems are in danger, an there's no need to worry for linux users. Am I right?

mark November 30, 2016 at 9:27 am • Reply

That's right, for this particular exploit.

Juliette November 30, 2016 at 9:57 am • Reply

So I am OK on a Mac Pro? ...just want to clarify. Thanks!

mark November 30, 2016 at 10:01 am • Reply

Yes you are for this particular variant of the exploit. But update Firefox as soon as an update is released.

Juliette November 30, 2016 at 10:20 am • Reply

Thanks for the clarification Mark!

pete November 30, 2016 at 9:46 am • Reply

How about using FF in private mode?

Am I understanding correctly that this only affects wordpress sites?

mark November 30, 2016 at 9:57 am • Reply

No this affects anyone using the Firefox browser. Whether or not they use or connect to a WP site.

Robert November 30, 2016 at 10:02 am • Reply

Can I get a definitive answer from the Wordfence team on whether this exploit affects Macintosh users? Thanks.

mark November 30, 2016 at 10:07 am • Reply

It does not. The exploit makes calls to kernel32.dll, a core part of the Windows operating system.

Robert November 30, 2016 at 4:35 pm • Reply

Thanks, Mark!

Robert November 30, 2016 at 4:53 pm • Reply

I just read the Mozilla security blog post, and they say:

"While the payload of the exploit would only work on Windows, the vulnerability exists on Mac OS and Linux as well."

So to be clear, this particular exploit may not affect MacOS and Linux, but the vulnerability apparently still exists in Firefox for those operating systems.

Seems to me that a sibling exploit could already be out there, affecting those systems as well, and as yet undiscovered.

The blog post does not say whether Mozilla will be issuing Mac/Linux updates to patch.

Mary November 30, 2016 at 10:17 am • Reply

Thanks for this! You Guys really are mind blowing!

Hey Mark, how do we know if we are infected?
Thanks,Mary

mark November 30, 2016 at 10:21 am • Reply

If this is repurposed to not just unmask Tor browser users, but to drop malware/ransomware on Firefox workstations, then you will be infected on your local Windows machine. So the best way to know if you've been hit by this or not is to run a Windows anti-virus scan on your local machine and do that regularly. If you don't have one, you can find a sortable list of options here: https://www.av-test.org/en/antivirus/home-windows/

Brad November 30, 2016 at 10:22 am • Reply

I see Mozilla has released 50.0.1. Is this vulnerability patched in 50.0.1...?

mark November 30, 2016 at 10:29 am • Reply

The short answer is no, 50.0.1 is not a fix for this.

The longer answer is: This is a Firefox exploit. Tor uses Firefox version 45 ESR at it's core. This exploit has been confirmed to work in Tor browsers. Someone, probably a government going after someone trying to stay anonymous, used this particular exploit to drop code on a workstation that sends a ping to an IP address from a Tor browser. That's not super scary for Firefox users, but it is very scary if you're a political dissident trying to stay anonymous from a government who is coming after you.

So again, this is actually exploiting something in Firefox and right now it's being used to unmask Tor users. However, this can probably be repurposed to drop malware on Firefox users. I mention a range of versions that are likely affected in the post above. This story is still unfolding and it literally broke less than 24 hours ago, so more data on which versions are affected will probably emerge.

One of the places I'm tracking this is on reddit: https://www.reddit.com/r/webdev/comments/5fpn4o/emergency_bulletin_firefox_0_day_in_the_wild/.

Take a look at the top comment. It looks like Firefox 50 has a lower likelihood of being vulnerable.

Regarding Firefox 50.0.1: NO that release does not fix this issue. It was released a day before this was reported and fixes a vulnerability related to what origin is inherited after a redirect. https://www.mozilla.org/en-US/security/advisories/mfsa2016-91/.

Hope that helps.

~Mark.
PS: Edited this a couple of times after I posted it for clarity.

Ian Claridge November 30, 2016 at 10:50 am • Reply

Everything I try to access FF it just keeps saying 'Secure Connection Failed'.

Having to use Chrome which is a pain as all my favourites are on FF

MakerDusk November 30, 2016 at 11:42 am • Reply

I've seen this is the wild on eztv.ag ads

Puppy November 30, 2016 at 11:46 am • Reply

Is Firefox 64-bit Windows version affected as well ? I susppose so but what about the exploit code ?

Mary Waldman November 30, 2016 at 1:53 pm • Reply

Firefox has the patch up, 50.0.2

mark November 30, 2016 at 2:08 pm • Reply

Thanks, updating the post now. https://www.mozilla.org/en-US/firefox/50.0.2/releasenotes/

Puppy November 30, 2016 at 2:15 pm • Reply

There is also Thunderbird 45.5.1 update.

mark November 30, 2016 at 2:19 pm • Reply

I'm only seeing 45.5.0: https://www.mozilla.org/en-US/thunderbird/45.5.0/releasenotes/

Can you post a link?

mark November 30, 2016 at 2:29 pm • Reply

Found it. https://www.mozilla.org/en-US/thunderbird/45.5.1/releasenotes/

mic November 30, 2016 at 2:07 pm • Reply

https://blog.torproject.org/blog/tor-browser-607-released

Paul Dunstan November 30, 2016 at 3:41 pm • Reply

So - are we now saying that this is fixed?

mark November 30, 2016 at 5:14 pm • Reply

Well, Paul I'm going to go ahead and say they released a fix. :-)

After some poking and prodding by researchers there may be follow-up fixes, but it looks like the immediate threat has been mitigated.

Mark.

Anon November 30, 2016 at 5:05 pm • Reply

Always Windows, always javascript. You know what you need to do to get real security.

Luca December 1, 2016 at 3:35 am • Reply

Thanks, may I have a suggestion, though? Make the hyperlinks open in a new tab or window, not in the same of the article, ;)

mark December 1, 2016 at 9:06 am • Reply

Darnit. I usually do that and forgot this time around. Thanks Luca.

Wil January 13, 2017 at 7:31 am • Reply

So the issue has been fixed? It is now safe to use firefox?

Diane January 14, 2017 at 11:30 am • Reply

When I downloaded the "fix"which was supposed to be Firefox 50.0.2 the file name is actually 50.1.0. So is that the latest version, which includes a fix? Can we use Firefox now?

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.