Firefox SVG Parser Use-After-Free Zero Day Exploit

Firefox SVG Parser Use-After-Free Zero Day Exploit

CST:FIREFOX-SVG-UAF


Description

On November 29, 2016 a critical Firefox zero day exploit was disclosed on a Tor mailing list. The exploit targets a use-after-free vulnerability in Firefox’s SVG parser. The Javascript-based exploit can be triggered by a user visiting a malicious website. If successful, the exploit would allow the attacker to send direct system calls to kernel32.dll which could allow the entire system to be compromised.

Vulnerable Versions

  • Firefox 41 to 50.0.1
  • Firefox 45 ESR
  • Tor Browser Bundle

Indicators of Compromise

The disclosed in-the-wild exploit calls back to 5[.]39[.]27[.]226. We recommend investigating any traffic going to this IP address.

Patches

At the time of this writing no patches have been released. Mozilla is actively working on a fix and we expect patches will be available soon from both Mozilla and the Tor project.

Mitigation

Until patches are available a workaround is to disable Javascript in Firefox or use an alternative browser such as Chrome.

Threat Intelligence

We assess that the risk posed by this vulnerability is high. We anticipate that cybercriminals and other malicious threat actors will implement variations of the exploit.

Alert Detection

The Masergy Threat Intelligence Team currently has deployed the following alerts to detect the exploitation of this vulnerability:

CST:FIREFOX-SVG-UAF

Detected communication with command and control infrastructure used in a in-the-wild zero day exploit for Firefox’s SVG parser.

Additional information can be found at:

We use cookies to improve your web experience, better understand how our site is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. Read more and make cookie choices by visiting our privacy policy.