#VU1191 Use-after-free in Tor Project products - CVE-2016-9079
Vulnerability identifier: #VU1191
Vulnerability risk: Critical
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID:
CWE-ID:
CWE-416
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Mozilla Firefox
Client/Desktop applications /
Web browsers
Tor Browser
Client/Desktop applications /
Web browsers
Mozilla Thunderbird
Client/Desktop applications /
Messaging software
Vendor:
Mozilla
Tor Project
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing SVG animation in nsSMILTimeContainer::NotifyTimeChange() function. A remote attacker can create a specially crafted web page, host malicious SVG file on it and execute arbitrary code on vulnerable system.
Successful exploitation may allow an attacker to gain complete control over vulnerable system.
Note: this vulnerability is being publicly exploited against Tor Browser users.
Mitigation
Update Firefox to version 50.0.2, Thunderbird to version 45.5.1, Tor Browser to version 6.0.7.
Vulnerable software versions
Mozilla Firefox: 49.0 b1 - 50.0.2
Mozilla Thunderbird: 45.0 - 45.5.1
Tor Browser: 5.0 - 6.0.7
External links
https://blog.torproject.org/blog/tor-browser-607-released
https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
https://www.mozilla.org/en-US/thunderbird/45.5.1/releasenotes/
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
