Mozilla Security Blog - November 30, 2016
Early on Tuesday, November 29th, Mozilla was provided with code for an exploit using a previously unknown vulnerability in Firefox. The exploit was later posted to a public Tor Project mailing list by another individual.
While the payload of the exploit would only work on Windows, the vulnerability exists on Mac OS and Linux as well. Further details about the vulnerability and our fix will be released according to our disclosure policy.
The exploit, in this case, works in essentially the same way as the “network investigative technique” used by FBI to deanonymize Tor users (as FBI described it in an affidavit). This similarity has led to speculation that this exploit was created by FBI or another law enforcement agency. As of now, we do not know whether this is the case.
If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web.
Fireefox 50.0.2 security udpate - https://www.mozilla....US/firefox/all/
Firefox 45.5.2 security update - https://www.mozilla....anizations/all/