Firefox SVG Parser Use-After-Free Zero Day Exploit

Firefox SVG Parser Use-After-Free Zero Day Exploit



On November 29, 2016 a critical Firefox zero day exploit was disclosed on a Tor mailing list. The exploit targets a use-after-free vulnerability in Firefox’s SVG parser. The Javascript-based exploit can be triggered by a user visiting a malicious website. If successful, the exploit would allow the attacker to send direct system calls to kernel32.dll which could allow the entire system to be compromised.

Vulnerable Versions

  • Firefox 41 to 50.0.1
  • Firefox 45 ESR
  • Tor Browser Bundle

Indicators of Compromise

The disclosed in-the-wild exploit calls back to 5[.]39[.]27[.]226. We recommend investigating any traffic going to this IP address.


At the time of this writing no patches have been released. Mozilla is actively working on a fix and we expect patches will be available soon from both Mozilla and the Tor project.


Until patches are available a workaround is to disable Javascript in Firefox or use an alternative browser such as Chrome.

Threat Intelligence

We assess that the risk posed by this vulnerability is high. We anticipate that cybercriminals and other malicious threat actors will implement variations of the exploit.

Alert Detection

The Masergy Threat Intelligence Team currently has deployed the following alerts to detect the exploitation of this vulnerability:


Detected communication with command and control infrastructure used in a in-the-wild zero day exploit for Firefox’s SVG parser.

Additional information can be found at: