Mozilla Firefox Zero Day used to unmask Tor browser users has now been patched

After a day of it being reported, Mozilla has released an update that patches a zero-day vulnerability which was not just present, but was actively exploiting Tor Browser users because it happens to be built on the same open source Firefox code.

The new updates are tagged as Firefox 50.0.2, Firefox ESR 45.5.1, and Thunderbird 45.5.1 respectively. According to Mozilla’s security team, the browser should get automatically updated at some point over the next 24 hours. However, if users cannot wait, they can download the above mentioned software versions directly from the company’s website and install the same manually.

The vulnerability was disclosed on a public Tor Project mailing list on Tuesday. The Tor Project rushed to issue and emergency update for its Tor Browser and now we have an update from Mozilla.

The issue comes from an object nsSMILTimeContainer that is  used to produce the SVG animation in Firefox. By the time it was discovered, it was already being used to de-anonymize Tor Browser users. “The exploit in this case works in essentially the same way as the ’network investigative technique’ used by the FBI to deanonymize Tor users” said Mozilla on its official blog . There was also a notable mention about the possibility of the exploit being developed and deployed by a a government agency.