Drop Everything, Update Your Firefox And Tor Browsers Now
Worse Than A Cheesy Christmas RomCom
Check your Firefox and Tor browsers for outstanding updates, as Russian hackers are exploiting a zero day on machines across North America and other continents. The first problem is with Firefox’s animation timeline feature which allowed code to execute within the web browser’s sandbox. It was actually patched back in October, but you should definitely check for any updates to ensure you are protected against this known threat as well as yet to be announced but likely already being exploited right now. The second issue is a privilege escalation flaw in the Windows Task Scheduler service which again allows code you do not want running outside of the sandbox, which wasn’t patched until last week.
The problem for users of the Tor browser is that one of the JavaScript exploits used in the attacks against Firefox is called main-tor.js, which implies RomCom is able to leverage these flaws in that browser as well. The attacks come from browser redirection, to a fake website the hackers controlled which would use the exploits to install whatever they wanted on the computer visiting the site, without any interaction by the user.
Stay safe out there!
RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596) has been linked to financially motivated campaigns and orchestrated ransomware and extortion attacks alongside credential theft (likely aimed at supporting intelligence operations).
More Tech News From Around The Web
- Hackers exploit critical bug in Array Networks SSL VPN products @ Bleeping Computer
- QNAP NAS users locked out after firmware update snafu @ The Register
- Security? We’ve heard of it: How Microsoft plans to better defend Windows @ The Register
- China has utterly pwned ‘thousands and thousands’ of devices at US telcos @ The Register
- Are any of Apple’s official MagSafe accessories worth buying? @ Ars Technica
- Nvidia’s new AI audio model can synthesize sounds that have never existed @ Ars Technica
- Recreating Unobtainium Weather Station Sensors @ Hackaday