Thanks to the efforts from a few dedicated members of Trail of Bits (@withzombies, scott, and others), I have real info to share.
-
-
It's not possible to determine the origin of the bug -- fuzzer or manual analysis. IMHO the author developed the exploit from scratch.
-
The shellcode is fairly simple. It calls back to 5.39.27.226 (check your logs). Again, nothing outrageous here.
-
Final thoughts: the Tor Browser Bundle is unable to protect those that need it most. If you rely on it, strongly reconsider your choices.
-
Consider the difficulty of running a Tor exit node that injects this exploit into every HTTP session. ¯\_(ツ)_/¯
-
The story here is that there is no story. Software is buggy, 0days exist. Stop obsessing over single vulnerabilities. It's 2016, move fwd.
-
This is unlikely to work. All past info says LE exploits only run for very specific logged in users. https://twitter.com/csoghoian/status/803958781948338176 …
This Tweet is unavailable.
End of conversation
New conversation -
-
-
Could you please share whether this has been patched and what
@FireFox version has the fix in it? FireFox just updated, so is it? -
We're working on a fix. -BR
-
Thanks for letting us know. We thought 50.0.1 was the fix. Should we avoid using FireFox until another update?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.